System Error, Data Adequacy Not Found: CJEU invalidates EU-US Privacy Shield
July 24, 2020
3 min read
What's going on here?
The Court of Justice of the European Union (CJEU) recently ruled that the EU-US Privacy Shield (the legal mechanism used to transfer data between the EU and the US) was invalid.
What does this mean?
The EU’s General Data Protection Regulation (GDPR) has a couple of important measures on international data transfers. It imposes obligations on companies that transfer data outside the EU and only permits data transfers to nations that meet European data protection standards (known as data adequacy). These obligations can only be waived when there are a set of specific rules in place or the data subject has given their consent.
The landmark Schrems II ruling concerns data transfers between the EU and the US. The case was brought by the Austrian data privacy activist Max Schrems who has now twice won legal battles against Facebook in the CJEU that have invalidated the EU-US framework for transferring data (you can read more about this here). In this case, he argued that Facebook could not adequately protect his data from US intelligence agencies.
Previously, if you were a European company transferring data to the US, you had the following two options:
- You could use standard contractual clauses (SCC) to transfer data.
- You could make data transfers under the EU-US Privacy Shield Framework.
The Schrems II ruling has now invalidated this second option but decided that SCCs should remain valid. The CJEU judges invalidated the Privacy Shield on the grounds that Section 702 of the Foreign Intelligence Surveillance Act in the US and the role of the Ombudsman mechanism that underpinned the Privacy Shield, both failed to protect EU data to the standard required by Article 47 of GDPR.
What's the big picture effect?
The landmark ruling raises more questions than it answers. It means that over 5000 companies, including law firms, banks and car manufacturers, who were using the Privacy Shield might have to use SCCs for data transfers. The ruling underlines the obligation on data exporters to ensure that the country to which data is being transferred to via SCCs is compliant with EU law.
Businesses, therefore, will have to undertake Transfer Impact Assessments (due diligence on the country where data is being received) on a “case-by-case basis”, as well as current Data Protection Impact Assessments and Legitimate Interests Assessments. These are long and complicated processes and may prove to be a near-impossible task for businesses. The fact that it took the CJEU over a year to assess the US’s transfer impact is, ironically, a clear example of the assessment’s complexity.
The EU and the US will have to renegotiate a new data transfer framework to uphold the “$7.1 trillion transatlantic economic relationship”. This is not an impossible challenge, the Privacy Shield itself is the replacement for the original Safe Harbour Agreement that Schrems invalidated in 2015. But it will take some time to establish such a framework, with experts only expecting to see the Privacy Shield’s replacement materialise in around a year’s time.
The ruling also leaves regulators with some important questions over enforcement. As happened in 2015, data protection authorities (DPA) are expected to be lenient as businesses respond to the implications of the ruling. But ultimately they will face the same complexities as businesses when scrutinising the legality of their data transfers under these strenuous assessments. They may even consider blacklisting certain countries, further disrupting business.
Finally, it puts extra pressure on Brexit negotiations. The UK will hope to be granted data adequacy by the EU, thereby providing an easier alternative to SCCs. However, the EU has in the past signalled that British intelligence surveillance laws are not compatible with EU law. Combined with tricky politics, it is possible that the UK would also be denied adequacy, potentially putting British businesses at risk.
One winner from this is lawyers, whose legal advice will be vital for those wishing to avoid the sharp edge of a GDPR fine that is a maximum of €20m or 4% of the guilty party’s global turnover (whichever is larger). For now, however, businesses are forced to closely watch how these regulatory uncertainties play out.
Report written by Will Holmes
Share this now!
Check out our recent reports!