EU-US Privacy Shield Framework Invalid, Rules Court of Justice of European Union

On July 16, 2020, the Court of Justice of the European Union (CJEU) declared that the EU-US Privacy Shield Framework (“Privacy Shield”) was invalid in that it violated fundamental principles of EU law, including General Data Protection Regulation (GDPR). Thousands of US companies registered with Privacy Shield relied upon it to send personal data of European Union residents to the US for regular business uses in a relatively seamless way. While it appears that EU supervisory authorities will allow at least some time for US companies to replace the data protection safeguards provided by Privacy Shield, if your US entities or US business partners were registered with Privacy Shield, revisions of agreements and protocols will be required in a short timeframe.

To read the opinion of the CJEU in its entirety, click here. In the many pages of text, the takeaways of most immediate concern are as follows:

1. The Court invalidated the Privacy Shield Framework on two grounds: First, that the US government remains engaged in indiscriminate surveillance of all data hosted in the US, and that such surveillance violates European privacy principles in GDPR and the EU Charter of Fundamental Rights that government surveillance should be proportionate and collect only data strictly necessary for the purposes of the surveillance. Second, the Privacy Shield Ombudsperson did not provide the requisite means of US redress for EU residents who believed that their privacy rights had been violated by US companies registered with Privacy Shield.
2. There are two other means of documenting data protection that are acceptable to the EU for purposes of safeguarding transfers of personal data from the EU to the US. The first is Binding Corporate Rules, a form of global code of conduct that was not at issue in this case. The second is Standard Contractual Clauses (SCCs), in which the data controller and data processor agree to several standards of data protection in the SCCs.  Generally, those requirements are stricter than the Privacy Shield Principles. The SCCs were challenged in the case before the CJEU (entitled Data Commissioner v. Facebook Ireland, Ltd. (Maximillian Schrems)) and were upheld. However, the Court stated that EU Member State supervisory authorities may, in the face of a complaint by an EU resident, suspend or even prohibit transfers of personal data from that country to the US if the Authority finds that the SCC standards were not met.  Practically, this means that your clients and customers in the EU will be much stricter in verifying that compliance with the SCC requirements and that you may want to increase your scrutiny of your subcontractors who process EU personal data.

If you were registered with Privacy Shield, we recommend that you review the Standard Contractual Clauses that will be required in place of Privacy Shield representations to determine whether you are meeting the requirements of the Clauses and have documented how you meet them. The standards of the Clauses are not identical to the former Privacy Shield Principles to which you agreed when you registered with Privacy Shield. We also recommend that you undertake an inventory of service agreements and other contracts in which third parties process personal data of EU residents to determine whether the data protection representations of those third parties were based on Privacy Shield registration. Those agreements will require revision as soon as practicable.

A business imperative for conducting these reviews and revisions now is that the European Union is getting back to a pre-COVID-19 business status more quickly than the US and as a result consumers in the European Union, as reported in The New York Times on July 15, 2020, may provide a more robust market than those in the US, at least for the next several months.

Those consumers demand adherence to data protection principles, and a 2019 data privacy benchmark study by Cisco, “Maximizing the Value of Your Data Privacy Investments,” has indicated that organizations that adhere to GDPR principles have a shorter sales cycle.

If you have questions regarding how to ascertain your organization’s or client’s capability to meet the Contractual Clause requirements or require assistance in reviewing and revising your service agreements and other contracts in the wake of the CJEU decision, please contact Kenneth N. Rashbaum.