CJEU Invalidates EU-US Privacy Shield Data Transfers

The Court of Justice of the European Union (CJEU) struck down the EU-US Privacy Shield that allows firms to transfer EU citizen’s private data to the United States for data processing.  The EU maintains higher consumer data privacy laws that conflict with US security and legal policies.

“Today’s decision effectively blocks legal transfers of personal data from the EU to the US.  It will undoubtedly leave tens of thousands of US companies scrambling and without a legal means to conduct transatlantic business, worth trillions of dollars annually,” said Caitlin Fennessy, research director at the International Association of Privacy Professionals (IAPP).

The CJEU held that “the requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country.”

“In the absence of an adequacy decision, such transfer may take place only if the personal data exporter established in the EU has provided appropriate safeguards, which may arise, in particular, from standard data protection clauses adopted by the Commission, and if data subjects have enforceable rights and effective legal remedies…

The Court considers, first of all, that EU law, and in particular the GDPR, applies to the transfer of personal data for commercial purposes by an economic operator established in a Member State to another economic operator established in a third country, even if, at the time of that transfer or thereafter, that data may be processed by the authorities of the third country in question for the purposes of public security, defence and State security. The Court adds that this type of data processing by the authorities of a third country cannot preclude such a transfer from the scope of the GDPR.

Regarding the level of protection required in respect of such a transfer, the Court holds that the requirements laid down for such purposes by the GDPR concerning appropriate safeguards, enforceable rights and effective legal remedies must be interpreted as meaning that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses must be afforded a level of protection essentially equivalent to that guaranteed within the EU by the GDPR, read in the light of the Charter. In those circumstances, the Court specifies that the assessment of that level of protection must take into consideration both the contractual clauses agreed between the data exporter established in the EU and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the data transferred, the relevant aspects of the legal system of that third country.

Regarding the supervisory authorities’ obligations in connection with such a transfer, the Court holds that, unless there is a valid Commission adequacy decision, those competent supervisory authorities are required to suspend or prohibit a transfer of personal data to a third country where they take the view, in the light of all the circumstances of that transfer, that the standard data protection clauses are not or cannot be complied with in that country and that the protection of the data transferred that is required by EU law cannot be ensured by other means, where the data exporter established in the EU has not itself suspended or put an end to such a transfer.”

“Data Protection Commissioner Ireland v Facebook Ireland Limited, Maximillian Schrems,” 16 July 2020

The EU-US Privacy Shield was implemented several years ago after the CJEU held that the prior US Safe Harbor regime was insufficient.

Privacy advocate Max Schrems brought the cases that invalidated Safe Harbor and EU-US Privacy Shield.  Following the ruling, he stated:

“It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a role on the EU market…The Court clarified for a second time now that there is a clash of EU privacy law and US surveillance law.  As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people — including foreigners.  Surveillance reform thereby becomes crucial for the business interests of Silicon Valley…

This judgment is not the cause of a limit to data transfers, but the consequence of US surveillance laws.  You can’t blame the Court to say the unavoidable — when shit hits the fan, you can’t blame the fan.”

Privacy Advocate and Plaintiff Max Schrems

“This leaves a huge question mark over data transfers to the US, said Tanguy Van Overstraeten, partner and global head of privacy and data protection law at the law firm Linklaters.  “The Court has struck down the EU-U.S. Privacy Shield because it considers the US state surveillance powers are excessive.  For the thousands of businesses registered with the US Privacy Shield, this will be groundhog day; this is the second time the FTC operated scheme has been struck down after the Shields predecessor — the Safe Harbor — was struck down in 2015.  Businesses will now look to EU regulators to propose some form of transition to allow them to move away from Privacy Shield without the threat of significant sanctions and civil compensation claims.”

The ruling also puts in question data transfers to Russia, China, and potentially the UK post-Brexit.

“The CJEU’s judgment could have implications for the UK’s prospects of gaining adequacy at the end of the Brexit transition period,” said Peter Church, counsel at Linklaters.  “This will necessarily involve an assessment of the UK’s surveillance powers under the Investigatory Powers Act 2016.  However, there are a number of differences between the UK and US regimes.  For example, the UK regime has already been reviewed by the European courts and a number of amendments have been made to bring it into line with European law.  In addition, the UK regime does not have the same distinction between UK and foreign nationals, unlike US law which does not grant the same rights to non-US citizens.”

“This is a bold move by Europe,” said Jonathan Kewley, co-head of technology at law firm Clifford Chance.  “What we are seeing here looks suspiciously like a privacy trade war, where Europe is saying their data standards can be trusted but those in the US cannot.”

Standard Contract Clauses (SCCs) may also be insufficient.  “If the law in the relevant country – let’s say the USA – could override what the contract says, they don’t work,” said Kewley.  “I don’t know how much appetite they have to do this, but it’s hard to imagine that any European regulator would say that SCCs work for the US, and the pressure will pile on for them to make the assessment.  I don’t think SCCs escaped the court’s judgement – for some key countries, it’s probably just a stay of execution.”

One likely impact will be the localized processing of EU consumer data within EU data centers.  Over 5,300 companies rely upon the EU-US Privacy Shield as part of their GDPR and broader EU compliance.  Companies that rely upon the Privacy Shield span a broad set of B2B data, DaaS, social networking, CDPs, and cloud companies [searchable list].  These include Zoominfo, Dun & Bradstreet (including Lattice Engines), Experian, Infogroup, TechTarget, Microsoft (including LinkedIn), Facebook, Twitter, Google, Amazon (including AWS), Oracle, Salesforce, HubSpot, Adobe (including Marketo), LiveRamp, Melissa, TowerData, 6Sense, Leadspace, SalesLoft, Outreach, Groove, VanillaSoft, Yesware, and ConnectLeader.

Firms are also likely to ramp up their GDPR and CCPA compliance messaging, but that does not address the weaker data privacy structures of US law.

CCPA Now in Effect

The California Consumer Privacy Act (CCPA) went into force this week, but enforcement will be delayed for six months.  “We’re going to help folks understand our interpretation of the law,” said California Attorney General Xavier Becerra.  “And once we’ve done those things, our job is to make sure there’s compliance, so we’ll enforce.”

Microsoft indicated that CCPA will be used as a national standard. Microsoft has already extended EU GDPR compliance globally and called privacy “a fundamental human right.”

“CCPA marks an important step toward providing people with more robust control over their data in the United States,” wrote Microsoft’s Chief Privacy Officer Julie Brill.  “It also shows that we can make progress to strengthen privacy protections in this country at the state level even when Congress can’t or won’t act.”

CCPA requires firms to be transparent in how they collect and use consumer data.  Individuals also have the option to block sales of personal data.  However, “Exactly what will be required under CCPA to accomplish these goals is still developing,” wrote Brill.

Microsoft supports a national privacy law which cover “more robust accountability requirements” including minimizing data collection, transparency around how data is being used, and “making them more responsible for analyzing and improving data systems to ensure that they use personal data appropriately.”

Facebook is hedging, saying “we do not sell people’s data” without acknowledging that its business is based on monetizing member data and that it has a poor history of controlling partner data collection on its platform.

Salesforce CEO Marc Benioff called Facebook the “new cigarettes for our society,” which undermines societal trust.  On CNN’s Reliable Sources, Benioff called for Facebook to be regulated or split up.  “They’re certainly not exactly about truth in advertising.  Even they have said that.  That’s why we’re really in squarely a crisis of trust, when the core vendor themselves cannot say that trust is our most important value.  Look, we’re at a moment in time where each one of us in every company has to ask a question: What is our highest value?”

“I expect a fundamental reconceptualization of what Facebook’s role is in the world,” continued Benioff.  “When you have an entity that large with that much potential impact, and not fundamentally doing good things to improve the state of the world, well, then I think everyone is going to have it in its crosshairs.”