EU Court Invalidates Privacy Shield Data Transfer Mechanism
Data Privacy & Security Alert 07/17/20 Bari L. Nathan, Gregory J. Leighton
On July 16, 2020, the European Union’s highest court invalidated the EU-US Privacy Shield framework, a key mechanism used by thousands of companies to lawfully transfer data out of the EU, due to fears over potential surveillance by the United States government. The Privacy Shield framework was instituted in 2016 to replace the US-EU Safe Harbor framework, a mechanism that was similarly invalidated by the EU court in 2015.
European data protection law states that the transfer of personal data to countries outside of the European Economic Area (“EEA”) may only take place when there is an “adequate” level of protection to the fundamental rights of European data subjects. Data transfers to US companies that signed up to the Privacy Shield framework were considered adequate; however this decision means that transfers to the US can no longer take place on such a basis.
In the absence of an adequacy decision, European data protection law allows a data transfer if the business has provided “appropriate safeguards.” These safeguards may include:
- Standard Contractual Clauses (“SCCs”), model data protection clauses that have been approved by the European Commission and enable the flow of personal data when incorporated into a contract; and
- Binding Corporate Rules (“BCRs”), legally binding internal guidelines operating within a multinational organization that enables transfers of personal data from the organization’s entities in the EEA to the organization’s entities outside of the EEA.
Notwithstanding its invalidation of the Privacy Shield framework, the EU court upheld in principle the use of SCCs, rejecting the argument that SCCs should be deemed invalid because they do not prevent US intelligence officials and other third parties from accessing transferred data. However, the court expressed doubts about data protection in the US, creating uncertainty around the legality of the SCCs where a US company receiving data from the EU is subject to surveillance pursuant to laws such as the Foreign Intelligence Surveillance Act (“FISA”). The EU court reaffirmed that both sides involved in an EU-US data transfer must make an assessment to ensure that the data will be treated with the same degree of protection required by EU data protection law, and held that if the assessment reveals that there is not enough protection, the business exporting the data out of the EEA can implement additional safeguards. However, if the importer cannot meet the requirements even with additional safeguards, SCCs cannot be used as a mechanism for transfer.
Given the EU court’s skepticism of data protection practices in the US and the requirement that parties to a data transfer must assess whether the data will be treated with a similar level of protection as required by EU data protection law, US companies that are subject to US government surveillance may not be able to rely on SCCs.
The practical effect of the EU court’s ruling is that:
- Companies that rely on Privacy Shield should decide on a different mechanism to lawfully transfer data out of the EEA, such as SCCs or BCRs; and
- Businesses should evaluate their vendors who store or otherwise process EU personal data to ensure that they have a lawful data transfer mechanism, and amend their contracts as necessary.
For more information on the ruling and how it may impact your business, contact your local Quarles & Brady attorney or reach out to the Data Privacy & Security Team: