European court invalidates primary EU-US data transfer mechanism

Privacy Shield ruled to be incompatible with GDPR in landmark case

The European Union’s top court has ruled that the data transfer mechanism many companies use to transfer data between the EU and the US is no longer valid under GDPR.

In a highly anticipated ruling on 16 July that many believed would have profound implications for data transfers, the European Court of Justice decided that Privacy Shield was unable to protect EU residents' data from extensive US surveillance mechanisms.

Privacy Shield, itself a replacement for the invalidated Safe Harbour Principles, was introduced in 2016 to reconcile the problem of sending data from the EU, an area with robust data protection mechanisms, to the US, a country known for relatively invasive surveillance laws.

Advertisement - Article continues below

Some 5,300 businesses, many of which are small to medium-sized, have come to rely on Privacy Shield to transfer data, as it was by far the easiest mechanism to use when securing legal justification under GDPR.

However, the ECJ ruled that Privacy Shield prioritised US law enforcement and national security over the fundamental rights of data subjects, something that now conflicts with the notion that so called ‘third countries’ have equivalent data protections as those set out by GDPR. In other words, Privacy Shield simply isn’t compatible with today's EU data rules.

The court also found that surveillance laws in the US do not appear to have any limitations in how they are implemented, nor do they provide guarantees that non-US data subjects would be excluded or protected from such surveillance.

Advertisement
Advertisement - Article continues below

It also argued that the Ombudsperson, a position that provides EU citizens an additional point of redress when raising complaints against a company, but which sat vacant until 2019, does not provide data subjects with a cause of action for complaints that is equivalent to powers in the EU.

Advertisement - Article continues below

The case was originally brought by privacy activist Max Schrems against Facebook. He claimed that the company was unjustified in its use of so called ‘standard contractual clauses’ for the transfer of data between its EU headquarters and its US base in Silicon Valley. SCCs as a mechanism allow EU businesses to bake data protection rules into their contracts with companies outside of the EU and outside the scope of GDPR.

After Schrems complained to the Irish data protection regulator, the case was then sent to the Irish High Court and eventually the top court in Europe. However, the Irish High Court expanded the initial case to also challenge the validity of all standard contractual clauses as a data transfer mechanism, as well as challenge the validity of Privacy Shield, over which it had concerns.

Thursday’s ruling found that SCCs were valid as a data transfer mechanism, although it stated that data controllers are required to assess whether it’s possible for these contractual terms to be upheld in any country where invasive surveillance laws exist.

Advertisement - Article continues below

The invalidation of Privacy Shield, but the protection of SCCs, is a clear win for Schrems, who always argued that SCCs should be enforced more rigorously rather than scrapped altogether, particularly as so many businesses rely on their use.

“I am very happy about the judgment. It seems the Court has followed us in all aspects,” said Schrems, commenting on the ruling. “This is a total blow to the Irish DPC and Facebook. It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market.”

Advertisement
Advertisement - Article continues below

The invalidation of Privacy Shield creates a difficult moment for the European Commission, as it will now be tasked with creating an alternative mechanism for the transfer of data to the US. It took nine months for the Commission to replace Safe Harbour with Privacy Shield and, given the added complexities of GDPR, creating a new framework could take even longer.

Advertisement - Article continues below

The ruling makes it clear that any new mechanism will need to maintain GDPR principles, something that may be incredibly difficult in the context of US surveillance laws. If anything, it may require the US to adjust its own laws to provide guarantees for EU data, which may be unlikely.

Related Resource

Go digital to meet today’s critical compliance and security requirements

Digital transformation helps companies meet critical compliance and security requirements

Download now

"This is pretty much a solid victory for Schrems, and it will be interesting to see how the regulators (and businesses) reacts," says Renzo Marchini, privacy and security partner at law firm Fieldfisher. "This will be a big shock in EU-US relationships. The Privacy Shield had been painstakingly put together to deal with criticism of oversight under the old regime that was killed in the first Schrems case back in 2015 (Safe Harbor). This is now also found to be invalid and cannot be relied upon.

"In the light of that, it will be difficult for the regulators to allow SCCs for transfers to the US. If there is too much scope for intrusion into European individuals' privacy under Privacy Shield, how can there not be for SCCs?"

Advertisement - Article continues below

Caitlin Fennessy, research director at the International Association of Privacy Professionals (IAPP), said the scrapping of Privacy Shield "will undoubtedly leave tens of thousands of U.S. companies scrambling and without a legal means to conduct transatlantic business, worth trillions of dollars annually".

"IAPP’s 2019 Governance Survey found that 88 percent of respondents moving data out of Europe rely on standard contracts. This decision cuts off legal means to transfer personal data to the United States and will demand immediate attention by policymakers and U.S. companies doing business in Europe.”

Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement
Advertisement

Recommended

ICO to relax GDPR enforcement during coronavirus economic downturn
General Data Protection Regulation (GDPR)

ICO to relax GDPR enforcement during coronavirus economic downturn

16 Apr 2020
The NHS teams up with Apple and Google on coronavirus tracking app
privacy

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020
Health sites are 'unlawfully' sharing medical data with Facebook and Google
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020
Supreme Court rules Morrisons was not liable for 2014 data breach
data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
How do you build a great customer experience?
Sponsored

How do you build a great customer experience?

20 Jul 2020