European court invalidates primary EU-US data transfer mechanism

The European Union’s top court has ruled that the data transfer mechanism many companies use to transfer data between the EU and the US is no longer valid under GDPR.

In a highly anticipated ruling on 16 July that many believed would have profound implications for data transfers, the European Court of Justice decided that Privacy Shield was unable to protect EU residents' data from extensive US surveillance mechanisms.

Privacy Shield, itself a replacement for the invalidated Safe Harbour Principles, was introduced in 2016 to reconcile the problem of sending data from the EU, an area with robust data protection mechanisms, to the US, a country known for relatively invasive surveillance laws.

Some 5,300 businesses, many of which are small to medium-sized, have come to rely on Privacy Shield to transfer data, as it was by far the easiest mechanism to use when securing legal justification under GDPR.

However, the ECJ ruled that Privacy Shield prioritised US law enforcement and national security over the fundamental rights of data subjects, something that now conflicts with the notion that so called ‘third countries’ have equivalent data protections as those set out by GDPR. In other words, Privacy Shield simply isn’t compatible with today's EU data rules.

The court also found that surveillance laws in the US do not appear to have any limitations in how they are implemented, nor do they provide guarantees that non-US data subjects would be excluded or protected from such surveillance.

It also argued that the Ombudsperson, a position that provides EU citizens an additional point of redress when raising complaints against a company, but which sat vacant until 2019, does not provide data subjects with a cause of action for complaints that is equivalent to powers in the EU.

The case was originally brought by privacy activist Max Schrems against Facebook. He claimed that the company was unjustified in its use of so called ‘standard contractual clauses’ for the transfer of data between its EU headquarters and its US base in Silicon Valley. SCCs as a mechanism allow EU businesses to bake data protection rules into their contracts with companies outside of the EU and outside the scope of GDPR.

After Schrems complained to the Irish data protection regulator, the case was then sent to the Irish High Court and eventually the top court in Europe. However, the Irish High Court expanded the initial case to also challenge the validity of all standard contractual clauses as a data transfer mechanism, as well as challenge the validity of Privacy Shield, over which it had concerns.

Thursday’s ruling found that SCCs were valid as a data transfer mechanism, although it stated that data controllers are required to assess whether it’s possible for these contractual terms to be upheld in any country where invasive surveillance laws exist.

The invalidation of Privacy Shield, but the protection of SCCs, is a clear win for Schrems, who always argued that SCCs should be enforced more rigorously rather than scrapped altogether, particularly as so many businesses rely on their use.

“I am very happy about the judgment. It seems the Court has followed us in all aspects,” said Schrems, commenting on the ruling. “This is a total blow to the Irish DPC and Facebook. It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market.”

The invalidation of Privacy Shield creates a difficult moment for the European Commission, as it will now be tasked with creating an alternative mechanism for the transfer of data to the US. It took nine months for the Commission to replace Safe Harbour with Privacy Shield and, given the added complexities of GDPR, creating a new framework could take even longer.

The ruling makes it clear that any new mechanism will need to maintain GDPR principles, something that may be incredibly difficult in the context of US surveillance laws. If anything, it may require the US to adjust its own laws to provide guarantees for EU data, which may be unlikely.

"This is pretty much a solid victory for Schrems, and it will be interesting to see how the regulators (and businesses) reacts," says Renzo Marchini, privacy and security partner at law firm Fieldfisher. "This will be a big shock in EU-US relationships. The Privacy Shield had been painstakingly put together to deal with criticism of oversight under the old regime that was killed in the first Schrems case back in 2015 (Safe Harbor). This is now also found to be invalid and cannot be relied upon.

"In the light of that, it will be difficult for the regulators to allow SCCs for transfers to the US. If there is too much scope for intrusion into European individuals' privacy under Privacy Shield, how can there not be for SCCs?"

Caitlin Fennessy, research director at the International Association of Privacy Professionals (IAPP), said the scrapping of Privacy Shield "will undoubtedly leave tens of thousands of U.S. companies scrambling and without a legal means to conduct transatlantic business, worth trillions of dollars annually".

"IAPP’s 2019 Governance Survey found that 88 percent of respondents moving data out of Europe rely on standard contracts. This decision cuts off legal means to transfer personal data to the United States and will demand immediate attention by policymakers and U.S. companies doing business in Europe.”