Privacy Shield in a Nutshell
- Under EU law, Europeans’ personal information is only to be exported into countries with data protections deemed to be sufficient by the European Commission.
- The United States lacks any strong federal data protection legislation. Consequently, the European Commission has deemed the US’s data protections to be insufficient, thus making data transfers to the US illegal under EU law.
- To bypass this issue, the US and EU came to an agreement through the EU-US Privacy Shield.
- Through the deal, US companies could voluntarily choose to self-certify themselves as a Privacy Shield entity, which would legally bind them to adhere to EU law when handling personal information.
- Certified entities were then empowered to receive European personal information.
The European Court of Justice’s July 2020 Ruling
- The EU-US Privacy Shield was declared invalid by the EU’s highest court, effective July 16, 2020.
- The Court based its reasoning on current US intelligence laws.
- While entities can self-certify and comply with EU data and privacy laws, the entities have no control over the actions taken by US intelligence.
- Under current US surveillance laws, there is no carve-out for Privacy Shield certified entities. Therefore, entities cannot guarantee that their housed data will not be collected by US intelligence agencies.
- Additionally, there is no avenue of recourse for Europeans who are being surveilled. While they can file a complaint with the entity, the entity has no power over US intelligence.
- The US Department of Commerce has reacted to the ruling by committing to “continue to administer the Privacy Shield program, including processing submissions for self-certification and recertification to the Privacy Shield Frameworks and maintaining the Privacy Shield List.”
- The US Department of Commerce has also stated that “the decision does not relieve participating organizations of their Privacy Shield obligations.”
What Does it Mean?
- This was an immediately effective ruling by the highest court in the EU. This means that all US-based entities currently handling Europeans’ personal information through the now defunct EU-US Privacy Shield are likely in violation of EU law. This is unappealable; there is no higher court to appeal to.
- The US Department of Commerce’s statements hold little weight. With no reciprocity from the European side, the Department of Commerce’s statements are essentially null. Europe will not recognize the Privacy Shield as a legal method for US entities to handle European personal information.
- The ruling does not affect Article 6 of GDPR (Lawfulness of Processing). This article under the GDPR does contain a significant exception for the requirement that an importing country have sufficient data protections in place.
- If the processing of Europeans’ personal data is “necessary” for the fulfillment of a direct contract with the data subject, the data processing is legal.
- Therefore, US entities who contract with EU residents directly and only process data which is necessary for the fulfillment of such contract are not in violation of EU law.
- The simplest potential legal path for US entities to continue to handle EU personal information is through Standard Contractual Clauses (SCCs).
SCCs as an Alternative?
- Some US entities have foregone Privacy Shield certification in favor of SCCs.
- SCCs are standard contracts published by the European Commission that bind both parties to comply with EU data privacy standards. These contracts were published to provide a way for entities to bind themselves to adequate data protections under EU law.
- This mechanism has not been directly eliminated by the European Court of Justice (ECJ) ruling.
- However, the elimination of the EU-US Privacy Shield carries new implications for SCCs.
- By applying the ECJ’s reasoning for striking down the Privacy Shield, it becomes clear that SCCs are opened to legal challenges by European residents, entities, and regulators.
- In order to use SCCs, US entities must be prepared to defend themselves and assert that they are outside the scope of US intelligence.
- This is impossible for large tech entities like Facebook and Google, but it may be possible for some entities depending on their size and industry.
- Recognize that if you are an entity currently handling European personal information through the EU-US Privacy Shield, you are likely in violation of EU law.
- Realize that even though the EU does not recognize the Privacy Shield, US law still does. We advise continued Privacy Shield compliance as long as the US continues to recognize the Privacy Shield.
- Immediately begin to examine the viability of implementing SCCs as justification for your entity’s handling European data.
- Understand that if you directly contract with EU residents and only process data which is necessary for the fulfillment of that contract, you are likely not in violation of EU law.
- Recognize that this ruling puts tremendous pressure on the United States to pass federal data protection legislation. Be prepared for sweeping federal data privacy and security legislation in the coming years.
- Realize that you are not alone in navigating these challenges. Over 5,000 US-based Privacy Shield entities existed before this ruling. This bombshell ruling has shaken all of them.
Questions about how to move forward, please contact a member of McGrath North’s Privacy and Cybersecurity Practice Group.