The European Court of Justice (ECJ), the highest court of the European Union (EU), ruled yesterday to invalidate the Privacy Shield, a commonly used legal mechanism to transfer personal data between the EU and U.S. while still complying with the EU’s General Data Protection Regulation (GDPR). This alert continues the Nixon Peabody Data Privacy and Cybersecurity Group’s coverage of U.S. and EU privacy laws and regulations.
What was the Privacy Shield?
The Privacy Shield, created in 2016, was an important mechanism for U.S. businesses — more than 5,300 US businesses currently rely on it to enable the valid transfer of EU personal data to the United States. The Privacy Shield was established after a 2015 ECJ ruling invalidated the previous mechanism, the Safe Harbor principles. That ruling, and yesterday’s decision, resulted from legal challenges against Facebook by Austrian privacy activist Maximillian Schrems.
Why did the Court rule this way?
The spirit of the Privacy Shield was to ensure that transferred data would receive equivalent protection on both sides of the Atlantic. In its opinion, the ECJ invalidated the Privacy Shield on the grounds that it did not offer EU citizens sufficient protection against U.S. government surveillance to satisfy that standard. This argument is in line with the ECJ’s arguments to substantiate the invalidation of the Safe Harbor principles.
The imbalance of protection for EU citizens’ personal data in the U.S. was precipitated by a 2017 Executive Order signed by President Donald Trump that orders executive agencies to exclude non-U.S. persons from protections under U.S. privacy laws.
The ECJ did not, however, invalidate the other primary mechanism for EU-U.S. data transfers: the Standard Contractual Clauses. While more cumbersome than the Privacy Shield, in that they have to be implemented on a case-by-case basis, the Standard Contractual Clauses currently are the only valid and practicable mechanism businesses can use, since binding corporate rules often require long approvals processes and other costly obstacles.
What are the implications of this ruling for U.S. businesses?
The ECJ judgment creates uncertainty for any business relying on the Privacy Shield. Using history as a guide, it is to be expected that a new mechanism will be created in the wake of the Privacy Shield. In the meantime, businesses should review transfers of personal data from the EU to the U.S. and make sure they are protected by the Standard Contractual Clauses, which remain valid legal mechanisms to comply with the GDPR. Valid transfers of personal data are only one step toward compliance with the GDPR, however. Full compliance with the GDPR requires a fact-intensive review of all aspects of business operations, and should be undertaken with the assistance of experienced counsel.