The end of the Privacy Shield

The European Court of Justice (ECJ) has struck down the EU-US Privacy Shield as invalid, having determined that the Privacy Shield cannot provide an adequate level of protection for personal data transferred from the EU to organisations in the US given the requirements of US law.

The Privacy Shield was designed to enable the transfer of the personal data of EU citizens to the US in a manner that respected the rights of EU citizens, as enshrined in such instruments as the Charter of Fundamental Rights of the European Union and the General Data Protection Regulation (GDPR). It imposed stronger obligations on US companies than would ordinarily be required under US law and enabled thousands of participating organisations to self-certify their adherence to numerous principles governing their use and treatment of EU citizens’ personal data. The ECJ’s decision to invalidate it therefore leaves many companies questioning whether their overseas data transfers are now lawful.

The ECJ’s ruling follows a request from Mr Maximillian Schrems to the Data Protection Commissioner of Ireland. He asked the Commissioner to prohibit or suspend the transfer of his personal data by Facebook Ireland to the US servers of Facebook Inc. on the grounds that the US did not ensure an adequate level of protection for Mr Schrems’ personal data.

The Court considered whether US national security laws that require US companies to make personal data transferred to them available to certain US authorities meant that the Privacy Shield could not adequately protect EU citizens’ privacy, and whether the Commissioner was therefore obliged to prevent such transfers. Among the Court’s considerations was the reach of US data surveillance programs such as PRISM and UPSTREAM, which rely on mass-surveillance rather than targeted measures limited to what is strictly necessary.

In its decision, the ECJ recognised that the primacy of US national security, public interest and law enforcement requirements amounted to an interference with the fundamental rights of EU citizens whose data is transferred to the US under the Privacy Shield. The Privacy Shield therefore could not ensure a level of protection essentially equivalent to that guaranteed by EU law and the ECJ concluded accordingly that an earlier Commission decision validating the Privacy Shield was invalid.

The ECJ did, however, uphold a Commission decision that so-called standard contractual clauses (SCCs) could continue to be used by businesses as an alternative means of transferring personal data outside the EU. These are essentially individual agreements that govern how data will be protected and treated. However, the ECJ observed that SCCs should include effective mechanisms that allow compliance with EU law to be ensured. Therefore, while the ECJ’s decision means that SCCs may be acceptable in principle for overseas data transfers, the conflict apparent between EU and US law in the ECJ’s judgment could ultimately lead to challenges to their effectiveness in practice. Companies will therefore need to carefully consider whether any SCCs they rely upon can be complied with.

At this point in time, the UK Information Commissioner’s Office (ICO) has advised UK organisations already using the Privacy Shield to continue to do so until new guidance is available, although it cautions organisations against using it if they do not do so at present. Given the impact of the ECJ’s ruling, however, the extent of the changes that may ultimately be needed to EU-US data transfer arrangements and agreements could prove extensive.

Paul Schwartfeger on 16 July 2020