The EU/US privacy shield invalidated

Kerman & Co. website
August 3, 2020 Advisory

On 16 July 2020, the Court of Justice of the European Union (CJEU) gave its eagerly anticipated preliminary ruling in the Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems Case C-311/18 (“Schrems II”) declaring that the protection provided by the EU-US Privacy Shield (“Privacy Shield”) is invalid.

Background

The Privacy Shield was adopted in July 2016 by the European Commission to enable the transfer of personal data of EU citizens between the European Union and the United States. The Privacy Shield replaced the old Safe Harbor arrangements which had previously been invalidated.

The General Data Protection Regulation (“GDPR”) prohibits the transfer of personal data outside of the European Union unless that recipient country has a similarly adequate level of protection in place for the transferred data. The Privacy Shield is the mechanism by which personal data can be transferred from the European Union to the United States, ensuring companies on both sides of the Atlantic comply with data protection requirements.

The Privacy Shield worked on the basis of self-certification. Companies relying on the Privacy Shield are required to commit to a set of ‘Privacy Principles’ including, amongst other requirements, notice requirements, security, purpose limitation and access to data.

The Facts

Mr. Schrems, an Austrian lawyer, lodged a complaint with the Irish Data Protection Commissioner claiming that his personal data will not be sufficiently protected when transferred to the United States. Mr. Schrems challenged Facebook’s reliance of the use of Standard Contractual Clauses as the legal basis for the transfer of personal data from Facebook Ireland to Facebook United States. Many companies use Standard Contractual Clauses as a means of safeguarding personal data. Standard Contractual Clauses govern the transfer of personal data to countries outside of the European Union and operate as a contractual set of terms and conditions between the sender and receiver. They usually include obligations to protect personal data, to have implemented appropriate safeguards and security measures and to cooperate with relevant supervisory authorities. Mr. Schrems argued that legislation in the United States does not explicitly limit interference with an individual’s personal data and that it runs contrary to the privacy rights enshrined in the EU Charter of Fundamental Rights. Mr. Schrems noted how, under legislation in the United States, internet service providers can be compelled to share data they hold with intelligence agencies.

The Data Protection Commissioner referred this query to the High Court in Dublin who in turn referred the matter to the European Court of Justice for a preliminary ruling. The ruling considered the validity of Standard Contractual Clauses and the totality of the Privacy Shield framework.

Decision

Whilst ultimately determining that the use of Standard Contractual Clauses as a means of protecting data in principle is valid, the Privacy Shield itself is invalid and not capable of suitably protecting personal data.

The European Court of Justice found that Standard Contractual Clauses do provide adequate protection for personal data of EU citizens but noted that there is an inherent obligation on an organisation to assess if there is an adequate level of protection in the jurisdiction.

It was held that the Privacy Shield does not provide protection to EU data subjects whose data is exported to the United States due to potential issues with access by public authorities and bodies within the US, and there is no suitable redress available to data subjects in US courts.

Effect on Business

The effect of this decision is that businesses will now be required to carefully analyse their data flow framework to ensure that it is complaint and, where it falls short, to urgently identify alternative data transfer mechanisms.

To do this, businesses should begin by:

  • mapping out their data transfers to assess what transfers are impacted;
  • review any third-party contracts to ensure that the data is being held responsibly;
  • identifying an alternative transfer mechanism if they are currently relying on the Privacy Shield; and
  • reviewing the EC’s current list of ‘adequate countries’. If the country is on this list data transfer may continue as normal.

Originally published at Kermanco.com prior to the firm’s combination with Armstrong Teasdale in early 2021.

Contact Us
  • Worldwide
  • Boston, MA
  • Denver, CO
  • Dublin, Ireland
  • Edwardsville, IL
  • Jefferson City, MO
  • Kansas City, MO
  • Las Vegas, NV
  • London, England
  • Miami, FL
  • New York, NY
  • Philadelphia, PA
  • Princeton, NJ
  • Salt Lake City, UT
  • St. Louis, MO
  • Washington, D.C.
  • Wilmington, DE
Worldwide
abstract image of world map
Boston, MA
800 Boylston St.
30th Floor
Boston, MA 02199
Google Maps
Boston, Massachusetts
Denver, CO
4643 S. Ulster St.
Suite 800
Denver, CO 80237
Google Maps
Denver, Colorado
Dublin, Ireland
Fitzwilliam Hall, Fitzwilliam Place
Dublin 2, Ireland
Google Maps
Edwardsville, IL
115 N. Second St.
Edwardsville, IL 62025
Google Maps
Edwardsville, Illinois
Jefferson City, MO
101 E. High St.
First Floor
Jefferson City, MO 65101
Google Maps
Jefferson City, Missouri
Kansas City, MO
2345 Grand Blvd.
Suite 1500
Kansas City, MO 64108
Google Maps
Kansas City, Missouri
Las Vegas, NV
1980 Festival Plaza Drive, Suite 750
One Summerlin
Las Vegas, NV 89135
Google Maps
Las Vegas, Nevada
London, England
Royal College of Surgeons of England
38-43 Lincoln’s Inn Fields
London, WC2A 3PE
Google Maps
Miami, FL
355 Alhambra Circle
Suite 1250
Coral Gables, FL 33134
Google Maps
Photo of Miami, Florida
New York, NY
7 Times Square, 44th Floor
New York, NY 10036
Google Maps
New York City skyline
Philadelphia, PA
2005 Market Street
29th Floor, One Commerce Square
Philadelphia, PA 19103
Google Maps
Philadelphia, Pennsylvania
Princeton, NJ
100 Overlook Center
Second Floor
Princeton, NJ 08540
Google Maps
Princeton, New Jersey
Salt Lake City, UT
201 South Main Street
Suite 750
Salt Lake City, UT 84111
Google Maps
Salt Lake City, Utah
St. Louis, MO
7700 Forsyth Blvd.
Suite 1800
St. Louis, MO 63105
Google Maps
St. Louis, Missouri
Washington, D.C.
1050 Connecticut Avenue NW
Suite 500
Washington, DC 20036
Google Maps
Photo of Washington, D.C. with the Capitol in the foreground and Washington Monument in the background.
Wilmington, DE
1007 North Market Street
Wilmington, DE 19801
Google Maps
Wilmington, Delaware