Not five years ago, the European Court of Justice struck down the Safe Harbor, the primary legal vehicle for transatlantic data transfers. Now, the court appears to have done the same to its replacement, the U.S.-EU Privacy Shield.
As explained by the court, Austrian activist Max Schremms, whose original lawsuit got the Safe Harbor invalidated, went back to court against Facebook Ireland, complaining "that the United States does not offer sufficient protection of data transferred to that country." He sought "the suspension or prohibition of future transfers of his personal data from the EU to the United States, which Facebook Ireland now carries out pursuant to the standard data protection clauses."
Today's resulting decision reaffirmed the legality of model clauses for data transfer, but invalidated the Privacy Shield.
The EU General Data Protection Regulation (GDPR) restricts the transfer of EU residents’ data to non-EU jurisdictions. Short of the European Commission declaring that a country provides "adequate" data protection (which will presumably never happen regarding the U.S.), data transfers can only occur via a few mechanisms, with Privacy Shield having been the most popular. Among other things, Privacy Shield requires U.S. companies to register compliance with the U.S. Department of Commerce and to notify consumers about this compliance in their privacy policies, making the promises enforceable under U.S. law (primarily by the FTC). Other trans-Atlantic data transfer remedies, which the court left intact, include binding corporate rules and model data protection clauses adopted by the EU Commission
The Insights Association offers our Privacy Shield Program as a benefit of company membership, since it serves as an Independent Recourse Mechanism (IRM), a required component of the program. The Privacy Shield agreement is clearly in question today. The U.S. Department of Commerce stated this morning that it intends to keep processing applications for the time being while the folks with higher pay-grades negotiate a solution. Even if, at least temporarily, Privacy Shield may not be a useful mechanism for data transfer, it continues to be a good starting point for GDPR compliance.
European Commission VP Vera Jourova tried to provide comfort today to companies reliant upon Privacy Shield for data transfer: "I know citizens and businesses are seeking reassurance today on both sides of the Atlantic. So let me be clear: we will continue our work to ensure the continuity of safe data flows." She emphasized that the EU was "not starting from scratch. On the contrary, the Commission has already been working intensively to ensure that this toolbox is fit for purpose, including the modernisation of the Standard Contractual Clauses." While Jourova noted that she needed more time to examine the details of the decision, she stated that the Commission would still seek to guarantee "the protection of personal data transferred across the Atlantic," work "constructively with our American counterparts with an aim of ensuring safe transatlantic data flows," and work "with the European Data Protection Board and national data protection authorities to ensure our international data transfer toolbox is fit for purpose." (EU Justice Commissioner Didier Reynders also outlined the European Commission's work on the model clauses.)
U.S. Commerce Secretary Wilbur Ross responded that, "It is critical that companies including the 5,300+ current Privacy Shield participants be able to transfer data without interruption, consistent with the strong protections offered by Privacy Shield." He noted that the Department of Commerce will continue to administer the program and process submissions for self-certification and re-certification to the Privacy Shield Framework and maintain the public list of companies that have certified to Privacy Shield. Ross also warned participating companies that their responsibilities and obligations have not changed.
House Energy & Commerce Committee Ranking Member Greg Walden (R-OR) and House Consumer Protection and Commerce Subcommittee Ranking Member Cathy McMorris Rodgers (R-WA) warnted about the "troubling protectionist voices coming from Europe that desire to use regulatory regimes as non-tariff trade barriers as opposed to the primary purpose of protecting consumers. Whether it is the GDPR, digital services taxes, or data localization requirements, it is clear Europe is targeting American tech companies. But our shared interests and values should outweigh these shortsighted and misguided policies. The European Union must not give the U.S. standards it does not apply to other countries that have no concern for protecting consumer data, and we call on the European Commission and the European Data Protection Board to work with the Trump administration to find an acceptable and sustainable path forward."
The Insights Association will provide further analysis and recommendations in the coming weeks.
For questions about IA's Privacy Shield Program, please reach out to Juliana Wood.
This information is not intended and should not be construed as or substituted for legal advice. It is provided for informational purposes only. It is advisable to consult with private counsel on the precise scope and interpretation of any laws/regulation/legislation and their impact on your particular business.