On July 16, the European Court of Justice (ECJ or the Court) struck down the EU-U.S. Privacy Shield program. The ruling invalidated an earlier European Commission (Commission) decision (Privacy Shield adequacy determination) that the framework — administered by the U.S. Department of Commerce and enforced by the FTC — adequately protects European individuals’ personal data in compliance with the EU’s General Data Protection Regulation (GDPR). The court based its ruling on a finding that U.S. government foreign surveillance is not limited to surveillance that is strictly necessary and that neither U.S. national security laws nor the Privacy Shield framework provide enforceable privacy rights and effective legal remedies for European data subjects.

With the invalidation of the Privacy Shield adequacy determination, companies seeking to transfer personal data from the European Economic Area (EEA) to the U.S. — or transfer EEA-originated personal data onward within the U.S. — must now use other mechanisms recognized by the GDPR to appropriately safeguard personal data, such as standard data protection clauses (SCCs) or binding corporate rules (BCRs). The ECJ also noted that parties on both sides of data transfers governed by SCCs have a responsibility to ensure that data is being adequately protected from unnecessary interference, or transfers should not occur.

View the ECJ ruling here and the corresponding press release here.

Background on Privacy Shield

Under the GDPR, the EU’s robust data privacy regulation that went into effect in May 2018, companies may freely transfer personal data from the EU to a third country outside of the EU if the European Commission has determined that the third country provides adequate protections for personal data that are “essentially equivalent” to the protections guaranteed to personal data within the EU.[1]

Following the invalidation of an earlier program — Safe Harbor — the U.S. Department of Commerce and the European Commission designed the Privacy Shield framework to serve as a new mechanism to comply with EU data protection requirements in the transatlantic transfer of personal data. In July 2016, the European Commission determined that the Privacy Shield program adequately protected EU personal data (Privacy Shield adequacy determination). In so deciding, the Commission accepted the U.S.’s explanations as to the limitations and safeguards present in U.S. national security laws governing foreign data surveillance by the intelligence community — in particular, Section 702 of the Foreign Intelligence Surveillance Act (FISA), Executive Order 12333 (EO 1233) and Presidential Policy Directive 28 (PPD-28). The U.S. also established a Privacy Shield Ombudsperson to review complaints and remedy noncompliance.[2]

That adequacy determination permitted Privacy Shield participants to receive EU personal data without resort to appropriate safeguards identified by the GDPR. Those alternative mechanisms to maintain consistent legal protections for personal data inside and outside the EU, in the absence of an adequacy determination, include the standardized SCCs adopted by the Commission in 2016 and the DPA-approved, customized BCRs.

More than 5,300 companies are Privacy Shield certified.

The Legal Challenge

The challenge to Privacy Shield originated in a 2015 suit brought by privacy activist and lawyer Max Schrems against Facebook Ireland over transfers of his personal data to the U.S. Schrems requested the Irish Data Protection Commission (Ireland's independent national supervisory authority tasked with enforcing the GDPR, also known as a data protection authority or DPA) to suspend Facebook’s use of SCCs to send personal data to the U.S., arguing that U.S. surveillance laws made it impossible for SCCs to appropriately safeguard EU subjects’ personal data. At the core of Schrems’ challenge is a view that current U.S. surveillance laws and EU data privacy rights are incompatible.

The case was brought before the High Court of Ireland, which referred a list of related questions to the ECJ for a preliminary ruling. An earlier case known as “Schrems I” led to the ECJ’s invalidation of the Safe Harbor program in 2015. Although the present case, sometimes known as “Schrems II,” challenged the use of SCCs, the Irish High Court and the ECJ also elected to examine the Privacy Shield program.

The ECJ’s Ruling Invalidated Privacy Shield

In the “Schrems II” ruling announced last Thursday, the ECJ invalidated the Commission’s 2016 Privacy Shield adequacy determination.

The Court clarified that adequate protection consistent with the GDPR must include “enforceable rights and effective legal remedies” for EU data subjects whose data is transferred outside the EU. Although the Court noted that data privacy rights are not absolute, any interference with such rights for the sake of national security must be proportional and limited to what is strictly necessary.

In the Court’s analysis — based on factual findings by the Irish High Court — U.S. laws, particularly Section 702 of FISA, EO 12333 and PPD-28, which authorize surveillance programs like PRISM and UPSTREAM as well as data collection from undersea transatlantic cables, insufficiently limit U.S. government surveillance authority and fail to provide meaningful avenues of redress for foreign data subjects. In the ECJ’s view, the Privacy Shield Ombudsperson position failed to adequately compensate for these concerns, due to insufficient guarantees of independence and the Ombudsperson’s inability to issue binding orders to correct U.S. intelligence community violations of EU data subjects’ rights.

As a result, the ECJ found the Privacy Shield program did not ensure adequate protection of personal data in accordance with the GDPR, and it invalidated the European Commission’s Privacy Shield adequacy determination.

The ECJ Upheld the Validity of SCCs but Clarified the Obligations of DPAs and SCC Signatories to Ensure Adequate Safeguards Exist in Practice

Importantly, the ECJ upheld the use of SCCs as a valid appropriate safeguard for transfers of EU personal data outside the EU.

However, the ECJ cautioned that, “before transferring personal data to [a] third country,” signatories to SCCs are “oblige[d] . . . to satisfy themselves that the legislation of the third country of destination enables the recipient to comply with the standard data protection clauses.” The Court noted that, in some circumstances, it may be necessary to adopt supplementary measures to ensure a level of protection essentially equivalent to that provided under EU law.

The ECJ also held that DPAs in each EU member state are “required to suspend or prohibit a transfer of data to a third country pursuant to [SCCs], if, in the view of that supervisory authority and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law . . . cannot be ensured by other means.”

The ECJ did not address whether the Irish DPA should suspend Facebook’s use of SCCs to transfer data to the U.S.

Regulators’ Reactions

Following the ECJ ruling, the Irish Data Protection Commission stated that, although the Court “ruled that the SCCs transfer mechanism used to transfer data to countries worldwide is, in principle, valid, . . . it is clear that, in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable. This is an issue that will require further and careful examination, not least because assessments will need to be made on a case by case basis.”

The European Commission issued a statement that it will take steps to ensure the continuity of safe transatlantic data flows and “will be working closely with our American counterparts” to achieve that goal. The statement also noted the continued availability of a “broad toolbox” of mechanisms for international data transfers including SCCs and BCRs, and reiterated that the Commission will strive to complete its work to bring the SCCs up to date with the GDPR as soon as possible. According to the statement, the Commission will work together with DPAs to “ensure a swift and coordinate[d] response to the [ECJ] judgment” in order to “provide European citizens and businesses with legal certainty.”

The European Data Protection Board’s (EDPB) statement confirmed, among other things, that the EDPB “intends to continue playing a constructive part in securing a transatlantic transfer of personal data that benefits EEA citizens and organisations and stands ready to provide the European Commission with assistance and guidance to help it build, together with the U.S., a new framework that fully complies with EU data protection law.” The EDPB said it “will assess the [ECJ] judgment in more detail and provide further clarification for stakeholders and guidance on the use of instruments for the transfer of personal data to third countries pursuant to the judgment.” Several DPAs also issued statements that they are currently working with counterparts across Europe to analyze the multifaceted ECJ decision and to develop guidance for companies on how to comply with the decision.

The Privacy Shield program website notes that “[t]he U.S. Department of Commerce has been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hopes to be able to limit the negative consequences of the decision to the transatlantic data flows that are so vital to our respective citizens, companies, and governments.”

Going Forward

Even without Privacy Shield, data transfers between the EU and the U.S. can still take place, provided appropriate safeguards are in place or derogations recognized in the GDPR apply. Article 46 of the GDPR lists mechanisms that constitute appropriate safeguards, such as SCCs. Article 49 of the GDPR enumerates “derogations for specific situations” under which international data transfers are permitted even in the absence of an adequacy determination or appropriate safeguards. For example, transfers are permitted where the transfer is necessary for “the performance of a contract between the data subject and the controller,” art. 49(1)(b), for “the conclusion or performance of a contract concluded in the interest of the data subject,” art. 49(1)(c), or for “the establishment, exercise or defence of legal claims,” art. 49(1)(e). The EDPB’s extensive guidance on the application of the derogations can be viewed here.

Companies certified under the Privacy Shield program should:

  • Continue to comply with their Privacy Shield obligations (among other reasons, to avoid FTC enforcement actions or breach of contract claims).
  • Determine what appropriate safeguards — such as SCCs — to employ or what derogations to rely on to permit continued transfers of EU personal data (whether in an initial transfer from the EU or in onward transfers outside the EU).

All companies should:

  • Determine whether the company transfers EU personal data to other companies that are Privacy Shield certified (whether in an initial transfer from the EU or in onward transfers outside the EU).[3]
  • If necessary, determine what appropriate safeguards to employ — such as SCCs — or what derogations to rely on to permit continued transfers.

Companies that use SCCs (or other appropriate safeguard mechanisms) to transfer or receive EU personal data should consider in each case whether and how the data recipient’s ability to ensure adequate levels of protection is affected by the data surveillance laws and practices of the country in which the recipient is located. Companies should further consider whether and what supplemental measures — such as encryption of data while in transit — might be implemented to ensure adequate protection from government surveillance.

While — at least in the U.S. — government surveillance laws most directly affect telecommunications and internet companies, any company evaluating a data recipient’s ability to ensure adequate levels of protection should be aware that businesses in other industries may use telecommunications and internet companies to process and store personal data. In such cases, supplemental measures to protect the personal data from government surveillance should be considered.


[1] Following the GDPR’s adoption by the non-EU EEA countries (Iceland, Liechtenstein and Norway) in July 2018, the GDPR’s requirements apply equally to the personal data of EEA persons and transfers of such data out of the EEA. 

[2] Section 702 of FISA provides for authorization of certain targeted surveillance of non-U.S. persons located outside the U.S. and serves as the basis for the U.S. intelligence community’s UPSTREAM and PRISM programs. The UPSTREAM program allows the NSA to compel the assistance of certain telecommunications providers in collecting a foreign surveillance target’s communications as they cross the internet. The PRISM program enables the U.S. intelligence community to collect a foreign surveillance target’s communications directly from U.S. internet companies.

EO 12333 authorizes electronic surveillance for the purpose of collecting foreign intelligence. PPD-28 acknowledges that the U.S. collects signals intelligence in bulk in certain circumstances.

[3] A list of current Privacy Shield participants is located here.

***

Summer law clerk Rachel Czwartacky assisted in the preparation of this alert.