In a new judgement, the Court of Justice of the European Union has invalidated the EU-U.S. Privacy Shield and thrown the reliability of Standard Contractual Clauses into doubt
The EU-U.S. Privacy Shield is a framework that – until recently – was relied upon by more than 5,000 organizations to transfer data from the EU to the U.S. without running afoul of EU privacy protections. On July 16, 2020, the Court of Justice of the European Union (“CJEU”) issued a judgement (in Case C‑311/18) invalidating the Privacy Shield framework and casting doubt on whether Standard Contractual Clauses (“SCCs”) can be used for EU-to-U.S. transfers instead.
In October 2015, the CJEU issued a ruling invalidating the Safe Harbor program on which organizations had relied for transfers of data from the European Union to the United States. Subsequently, representatives of the EU member states’ data protection authorities issued guidance on adapting to the loss of Safe Harbor protections, including pointing organizations towards the use of Model Contracts employing SCCs approved by the European Commission.
SCCs had been in use, in one form or another, since 2002, and they became used by many more organizations during this period between the Safe Harbor program’s invalidation and the implementation of a replacement program. Eventually, in July 2016, the EU-U.S. Privacy Shield was approved by the European Commission as a replacement for the invalidated Safe Harbor program.
As we discussed in 2018, European privacy activist Max Schrems (whose prior lawsuit resulted in the invalidation of the Safe Harbor program) filed a suit challenging the sufficiency of SCCs, arguing that they too provide inadequate protection for the personal data of EU citizens transferred to the U.S. In 2017, the Irish Court hearing the case issued an order finding the concerns and objections raised about data transfers to the U.S. under SCCs “well-founded” and referring the matter to the CJEU for the resolution of several legal questions.
The specific questions referred explored several aspects of the sufficiency of SCCs, the correct law to use to assess the protections, the relationship between the Privacy Shield and the SCCs, and what qualifies as an adequate remedy under applicable law. Arguments were heard by the CJEU in 2019, and U.S. representatives participated in the arguments.
In a press release summarizing their July 16th judgement, the CJEU explained that the European Commission adequacy decision underpinning the EU-U.S. Privacy Shield was invalid because the data protections provided in the U.S. are not equivalent to the protections provided in the EU:
. . . the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country, which the Commission assessed in Decision 2016/1250, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality . . . .
In particular, the CJEU emphasized that the Ombudsperson mechanism in the Privacy Shield program does not meet “the requirement of judicial protection” because it “does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law ,” particularly with regards to independence and the ability to issue decisions binding on U.S. intelligence services.
In the press release summarizing their July 16th judgement, the CJEU also explained that the Commission decision underpinning SCCs remains valid, but it clarified the requirements for the use of SCCs and the role of member states’ data protection authorities in assessing them:
Given that this same judgment invalidates the EU-U.S. Privacy Shield precisely because equivalent protections are not currently provided in the U.S., this casts doubt on whether SCCs can still be used for data transfers to the U.S., even though the mechanism is found to be valid for transfers in general. Moreover, this seems intended to spur a new level of oversight and enforcement activity from member states’ data protection authorities.
In the U.S., initial responses to the judgement have focused on immediate adaptation to alternative transfer mechanisms, including SCCs (at least for now). Microsoft, for example, issued a statement emphasizing their preexisting dual coverage by both the Privacy Shield and SCCs and assuring customers there will be no service disruptions. The U.S. Secretary of Commerce issued a statement expressing disappointment and announcing an intention to continue operation and enforcement of the Privacy Shield program for now:
The Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. Today’s decision does not relieve participating organizations of their Privacy Shield obligations.
In the EU, some member states’ data protection authorities have already issued statements on the judgement, including some that express doubt about continuing to allow transfer to the U.S. via SCCs, at least in some circumstances.
For Assistance or More Information
Xact Data Discovery (XDD) is a leading international provider of eDiscovery, data management and managed review services for law firms and corporations. XDD helps clients optimize their eDiscovery matters by orchestrating precision communication between people, processes, technology and data. XDD services include forensics, eDiscovery processing, Relativity hosting and managed review.
XDD offers exceptional customer service with a commitment to responsive, transparent and timely communication to ensure clients remain informed throughout the entire discovery life cycle. At XDD, communication is everything – because you need to know. Engage with XDD, we’re ready to listen.