CJEU Invalidates EU-US Privacy Shield Data Transfers

The Court of Justice of the European Union (CJEU) struck down the EU-US Privacy Shield that allows firms to transfer EU citizen’s private data to the United States for data processing.  The EU maintains higher consumer data privacy laws that conflict with US security and legal policies.

“Today’s decision effectively blocks legal transfers of personal data from the EU to the US.  It will undoubtedly leave tens of thousands of US companies scrambling and without a legal means to conduct transatlantic business, worth trillions of dollars annually,” said Caitlin Fennessy, research director at the International Association of Privacy Professionals (IAPP).

The CJEU held that “the requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country.”

“In the absence of an adequacy decision, such transfer may take place only if the personal data exporter established in the EU has provided appropriate safeguards, which may arise, in particular, from standard data protection clauses adopted by the Commission, and if data subjects have enforceable rights and effective legal remedies…

The Court considers, first of all, that EU law, and in particular the GDPR, applies to the transfer of personal data for commercial purposes by an economic operator established in a Member State to another economic operator established in a third country, even if, at the time of that transfer or thereafter, that data may be processed by the authorities of the third country in question for the purposes of public security, defence and State security. The Court adds that this type of data processing by the authorities of a third country cannot preclude such a transfer from the scope of the GDPR.

Regarding the level of protection required in respect of such a transfer, the Court holds that the requirements laid down for such purposes by the GDPR concerning appropriate safeguards, enforceable rights and effective legal remedies must be interpreted as meaning that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses must be afforded a level of protection essentially equivalent to that guaranteed within the EU by the GDPR, read in the light of the Charter. In those circumstances, the Court specifies that the assessment of that level of protection must take into consideration both the contractual clauses agreed between the data exporter established in the EU and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the data transferred, the relevant aspects of the legal system of that third country.

Regarding the supervisory authorities’ obligations in connection with such a transfer, the Court holds that, unless there is a valid Commission adequacy decision, those competent supervisory authorities are required to suspend or prohibit a transfer of personal data to a third country where they take the view, in the light of all the circumstances of that transfer, that the standard data protection clauses are not or cannot be complied with in that country and that the protection of the data transferred that is required by EU law cannot be ensured by other means, where the data exporter established in the EU has not itself suspended or put an end to such a transfer.”

“Data Protection Commissioner Ireland v Facebook Ireland Limited, Maximillian Schrems,” 16 July 2020

The EU-US Privacy Shield was implemented several years ago after the CJEU held that the prior US Safe Harbor regime was insufficient.

Privacy advocate Max Schrems brought the cases that invalidated Safe Harbor and EU-US Privacy Shield.  Following the ruling, he stated:

“It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a role on the EU market…The Court clarified for a second time now that there is a clash of EU privacy law and US surveillance law.  As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people — including foreigners.  Surveillance reform thereby becomes crucial for the business interests of Silicon Valley…

This judgment is not the cause of a limit to data transfers, but the consequence of US surveillance laws.  You can’t blame the Court to say the unavoidable — when shit hits the fan, you can’t blame the fan.”

Privacy Advocate and Plaintiff Max Schrems

“This leaves a huge question mark over data transfers to the US, said Tanguy Van Overstraeten, partner and global head of privacy and data protection law at the law firm Linklaters.  “The Court has struck down the EU-U.S. Privacy Shield because it considers the US state surveillance powers are excessive.  For the thousands of businesses registered with the US Privacy Shield, this will be groundhog day; this is the second time the FTC operated scheme has been struck down after the Shields predecessor — the Safe Harbor — was struck down in 2015.  Businesses will now look to EU regulators to propose some form of transition to allow them to move away from Privacy Shield without the threat of significant sanctions and civil compensation claims.”

The ruling also puts in question data transfers to Russia, China, and potentially the UK post-Brexit.

“The CJEU’s judgment could have implications for the UK’s prospects of gaining adequacy at the end of the Brexit transition period,” said Peter Church, counsel at Linklaters.  “This will necessarily involve an assessment of the UK’s surveillance powers under the Investigatory Powers Act 2016.  However, there are a number of differences between the UK and US regimes.  For example, the UK regime has already been reviewed by the European courts and a number of amendments have been made to bring it into line with European law.  In addition, the UK regime does not have the same distinction between UK and foreign nationals, unlike US law which does not grant the same rights to non-US citizens.”

“This is a bold move by Europe,” said Jonathan Kewley, co-head of technology at law firm Clifford Chance.  “What we are seeing here looks suspiciously like a privacy trade war, where Europe is saying their data standards can be trusted but those in the US cannot.”

Standard Contract Clauses (SCCs) may also be insufficient.  “If the law in the relevant country – let’s say the USA – could override what the contract says, they don’t work,” said Kewley.  “I don’t know how much appetite they have to do this, but it’s hard to imagine that any European regulator would say that SCCs work for the US, and the pressure will pile on for them to make the assessment.  I don’t think SCCs escaped the court’s judgement – for some key countries, it’s probably just a stay of execution.”

One likely impact will be the localized processing of EU consumer data within EU data centers.  Over 5,300 companies rely upon the EU-US Privacy Shield as part of their GDPR and broader EU compliance.  Companies that rely upon the Privacy Shield span a broad set of B2B data, DaaS, social networking, CDPs, and cloud companies [searchable list].  These include Zoominfo, Dun & Bradstreet (including Lattice Engines), Experian, Infogroup, TechTarget, Microsoft (including LinkedIn), Facebook, Twitter, Google, Amazon (including AWS), Oracle, Salesforce, HubSpot, Adobe (including Marketo), LiveRamp, Melissa, TowerData, 6Sense, Leadspace, SalesLoft, Outreach, Groove, VanillaSoft, Yesware, and ConnectLeader.

Firms are also likely to ramp up their GDPR and CCPA compliance messaging, but that does not address the weaker data privacy structures of US law.

GDPR First Anniversary (Is Your Data More Secure?)

EU Flag

As GDPR hit its first anniversary on Saturday, Microsoft once again called for a US privacy law which shifts the onus of data privacy from the individual to corporations.  Today, Americans operate in an opt-out regime which requires them to find and manage their privacy settings.

“This places an unreasonable — and unworkable — burden on individuals,” wrote Microsoft’s Deputy General Counsel Julie Brill.  “Strong federal privacy should not only empower consumers to control their data, it also should place accountability obligations on the companies that collect and use sensitive personal information.”

Microsoft prefers a single federal standard to piecemeal state-level laws such as California’s CCPA.  Brill said the legislation should be interoperable with the GDPR to help reduce the “cost and complexity of compliance.”  This framework should reflect ”the changing understanding of the right to privacy in the United States and around the world.”  The proposed legislation should “uphold the fundamental right to privacy through rules that give people control over their data and require greater accountability and transparency in how companies use the personal information they collect.”

“For American businesses, interoperability between U.S. law and GDPR will reduce the cost and complexity of compliance by ensuring that companies don’t have to build separate systems to meet differing—and even conflicting requirements—for privacy protection in the countries where they do business,” said Brill.

According to eMarketer analyst Ross Benes, the US ad industry has shifted from a call for self-regulation to supporting national privacy regulations, fearing ”a patchwork of different rules” as “legislation looks increasingly inevitable.”

A TrustArc/Ipsos survey of UK adults (16 – 75) found a 36% improvement in trust concerning personal data since GDPR went into effect.

Source: TrustArc / Ipsos GDPR Survey of 2,230 UK adults (May 2019)

A Snow study found that 39% of global business professionals believe their data is better protected since GDPR passed, with the biggest increase in the APAC region (48%).  40% of Europeans also believed their personally identifiable information is more secure, but only 30% in the US held the same belief.

74% of surveyed professionals believe that the technology industry needs more regulation with 83% of APAC and 72% of US respondents wanting additional tech regulation.

The EU has yet to strictly enforce the law with only one large fine ($56M) versus Google in France. However, Google and the social media and advertising companies are all subject to ongoing suits:

The latest investigation — the first by the Irish watchdog into Google — brings to 19 the number of open cases by the regulator targeting big U.S. tech companies. They include probes into Apple Inc., Twitter Inc., eight probes into Facebook Inc., plus one into Instagram and two into WhatsApp.

Los Angeles Times, “Google could face hefty EU fine over possible privacy violations,” May 22, 2019

“What is important to recognize is that the EU is taking GDPR very seriously, with fines being established for any breach,” said Ben Feldman, SVP of strategy and innovation at NYIAX.  “I would expect that the first six-to-nine months of any new regulation action would be spent working out the kinks and processes of implementation.  It is quite likely that we will see more fines in the coming months.”

Rhetorik: What Does GDPR Mean for B2B Marketing?

I’ve been looking for a good description of what GDPR (General Data Protection Regulation) means to B2B marketers and finally came across a session given by UK technology profiler Rhetorik.  There have been a number of issues that have muddied the waters, making it difficult to provide much more than general rules.  Amongst the issues are a focus on the implications to consumer marketers, the lack of a general law that spans the EU, and an emphasis on rumors and fears about what will happen to firms that fail to comply with the regulation.

Rhetorik Data Protection Officer Samantha Magee noted that GDPR covers how and why companies hold and protect data.  It is focused on internal processes rather than external communications, and is channel agnostic.

In around 18 months, the EU will pass uniform ePrivacy legislation which covers external communications in member countries.  Until then, rules will remain fragmentary.  For example, Opt-in or Opt-out protocols differ by country with the UK amongst the more liberal countries:

Opt-in / Opt-out workflow by country (Source: Rhetorik)
Opt-in / Opt-out workflow by country (Source: Rhetorik)

For the moment, GDPR has given teeth to local regulations.  In the UK, the PECR (The Privacy and Electronic Communications Regulations of 2003), overseen by the Information Commissioners Office (ICO), remains the applicable regulation for consumer, single trader, and small partnership communications.  It was drafted after the European Directive 2002/58/EC, otherwise known as the or ‘e-privacy Directive’, was implemented in 2002.

There are six bases for communicating with clients and prospects, all of which have equal weight: Consent, Contract, Legal Obligation, Vital Interest, Public Task, and Legitimate Interest.  Of these, Consent (e.g. opt-in) and Legitimate Interest are the most common for B2B marketers.  Support and service departments would most likely be covered under contractual relationships.

“Legitimate Interest aims to provide a solid and lawful basis upon which commercial communication can occur, allowing marketers to promote their products and services to a targeted and well defined audience,” said Magee.  “At its heart, is the desire to ensure that commercial practices and communications are relevant to the individual, offering the assurance that high standards of care are applied and that their essential privacy” rights are considered of the utmost importance.”


Part II continues with a discussion of the UK PECR law and additional details on Legitimate Interest.

LeadGnome: EU-US Privacy Shield Certification

LeadGnome -- Mining Email for LeadsAccount Based Intelligence vendor LeadGnome completed the EU-U.S. Privacy Shield certification process with the U.S. Department of Commerce.  The new process ensures that privacy is protected when personal data is transferred from the EU to the US.  The Privacy Shield process was implemented last summer after the previous Safe Harbour regime was invalidated by the European Court of Justice.

LeadGnome’s email reply service mines emails for intelligence such as left the company, out of office, change of position, change of name/email, and unsubscribe requests.  “LeadGnome is unique in its ability to mine the unstructured body of reply emails for account based intelligence.  It was, therefore, important to acquire EU-U.S. Privacy Shield certification to assure our customers of our commitment to the privacy of their data,” said Matt Benati, CEO of LeadGnome.

Because the firm collects emails, titles, and business phones, they did not have to go through the more stringent approval level for firms that store credit, payment, or personal data.  This helped expedite the approval process with the Department of Commerce.  As LeadGnome was already Safe Harbour compliant, the approval process was focused on conforming to changes between the Safe Harbour and Privacy Shield.  LeadGnome worked with the Better Business Bureau as a compliance partner and completed the process in about two months.  Benati believes the process will speed up as the certification backlog clears, but noted that his firm benefited from having Safe Harbour certification.

The LeadGnome platform is integrated with major CRMs and MAPs including Salesforce, HubSpot, Marketo and Oracle Cloud.

“LeadGnome is committed to data privacy and business transparency. We had already employed many of the required best practices, so the certification process was completed significantly ahead of schedule,” said Benati.

Other vendors that are Privacy Shield compliant include Dun & Bradstreet, Avention, Zoominfo, Infogroup, Salesforce, Microsoft, Oracle, SalesLoft, ReachForce, and Outreach.  The US International Trade Administration publishes a list of Privacy Shield compliant firms.

US-EU Privacy Shield

EU LogoThe US and EU finalized a new Privacy Shield agreement to replace the recently invalidated Safe Harbour agreement concerning data privacy.  The new program allows firms to begin self-certifying their compliance as of August 1st.  As part of the agreement, the US Department of Commerce will begin conducting regular compliance reviews.

“We have worked hard with all our partners in Europe and in the US to get this deal right and to have it done as soon as possible,” Andrus Ansip, said vice president for the European Commission’s Digital Single Market initiative. “Data flows between our two continents are essential to our society and economy – we now have a robust framework ensuring these transfers take place in the best and safest conditions.”

The US government will also implement “clear limitations, safeguards and oversight mechanisms” concerning the handling of European data.  Furthermore, The European Commission has assurances that bulk data collection would only be conducted “under specific preconditions and needs to be as targeted and focused as possible.”

A complaint mechanism is in place for Europeans which would be handled by the US Department of Commerce or the US Federal Trade Commission.  Mechanisms also exist for an independent ombudsman where national security questions come into play.

While tech companies applauded the new agreement, European privacy advocates contend the deal still fails to protect European citizens.