"Confusion surrounding the Privacy Shield rollback" by Amanda R. Lawrence, Elizabeth E. McGinn, and Magda Gathani
Buckley Commentary & AnalysisAmanda R. Lawrence, Elizabeth E. McGinn, Magda Gathani
The Court of Justice of the European Union (CJEU) last month invalidated the EU-U.S. Privacy Shield, which over 5,000 companies have relied on as a legal mechanism of transferring data from the EU to the United States.
The European Data Protection Board (EDPB) did not provide a grace period, so it is imperative that companies currently relying upon the Privacy Shield to take immediate steps to find a suitable alternative that guarantees the legality of data transfer from the EU to the U.S.
CJEU Decision and Regulatory Response
The Privacy Shield allowed companies to import personal information from the EU to the U.S. by certifying to the U.S. Commerce Department compliance with EU privacy requirements (primarily the General Data Protection Regulation). In a recent decision in the "Schrems 2" case, the CJEU invalidated the Privacy Shield on the grounds that the requirements of U.S. national security, public interest, and law enforcement have “primacy” over data protection. The court also held that the Standard Contractual Clauses (SCCs) issued by the European Commission for the transfer of personal data to data processors outside of the EU were valid. Nevertheless, data importers must inform the data exporter of any inability to comply with the standard data protection clauses, and supplement as necessary to provide adequate protections.
Following the CJEU decision, the EDPB issued FAQs that aim to address some of the implications of the decision. The FAQs also clarify that the Privacy Shield was invalid effective immediately because “the U.S. law assessed by the [CJEU] does not provide an essentially equivalent level of protection to the EU.” Separately, the Commerce Department and the EU has initiated negotiations of an “enhanced” data transfer framework to replace the version that was invalidated by CJEU. In the meantime, the Commerce Department said it will continue to administer the Privacy Shield because the decision “does not relieve participating organizations of their Privacy Shield obligations.” Similarly, the Federal Trade Commission stated that it expects companies to follow robust privacy principles, including those underlying the Privacy Shield Framework.
Five years after the CJEU invalidated the Safe Harbor data protection framework, companies find themselves in a similar position with the invalidation of the Privacy Shield. The path forward is not clear, and in the meantime, Privacy Shield participants are not excused from their obligations under the framework because the enforcement authority of the Department of Commerce is not extinguished.
Although the court held that the SCCs were valid, EU data exporters must ensure that the laws in the recipient country provide the same or higher level of protection as guaranteed by the GDPR. In practice, this will likely mean liability shifting from the EU data exporters to the U.S. data importers who must contractually guarantee the adequacy of the data protection standards.
Companies that continue without any alternative safeguard data transfer mechanism will risk becoming a target of an enforcement action immediately as no grace period from enforcement is contemplated. Additionally, the GDPR provides for a private right of action, which means that companies that continue to operate without any alternative safeguard mechanism will also be at risk of private lawsuits.
Possible Path Forward
The CJEU decision makes clear that companies relying on the Privacy Shield will need to transition to another data transfer mechanism as promptly as possible. The U.S. government’s surveillance tactics, which are inconsistent with the data protection principles of the EU, makes this a challenging endeavor. As a result, companies need to be wary of potential pitfalls while determining what alternative mechanism will be compliant with the EU standards.
Companies that currently rely on SCCs and Binding Corporate Rules will need to consider whether having regard to the nature of the personal data, the purposes and context of the processing, and the country of destination, there is an “adequate level of protection” for the personal data as required by EU law. Where that is not the case, organizations should consider additional safeguards that will offer that protection.
One way that companies may be able to navigate the apparent divergence in data protection standards between the EU and the United States is to rely on derogations provided in the GDPR for certain transfers, such as when the transfer is necessary to perform a contract. Encryption or tokenized data are other potential solutions. Technical safeguards may carry less risk than contractual safeguards, which are embedded with liability shifting, and require very careful drafting to ensure that all concerns are addressed.
Alternatively, companies may opt to use a local EU data processor, which is not always desirable solution because it takes control over data away from the U.S. data importer. However, since personal data of EU subjects would be processed within the EU, no transfer of data would need to take place. As companies think through the available options, they must balance the need for data with the business risks and opportunities that come with it.