EU court invalidates Privacy Shield data transfer agreement
US companies receiving EU personal data under Privacy Shield will need to find a replacement legal mechanism
16 July 2020 | 0
The European Union Court of Justice (ECJ) has invalidated the US-EU Privacy Shield Agreement. The agreement, which ensured US companies agree to adhere to EU standards on data protection and privacy in return for being able to receive personal data from the EU, has been struck down on the grounds that the US legal system doesn’t provide adequate protection to personal data, especially when it comes to state surveillance.
US companies receiving personal data from the EU will now need to find an alternative legal mechanism for receiving data or they will be breaking the law and face potential sanctions under the General Data Protection Regulation (GDPR).
Privacy Shield goes the way of Safe Harbor
Privacy Shield was set up after its predecessor, Safe Harbor, was brought down after a legal challenge from privacy activist Max Schrems. Privacy Shield was challenged because, like Safe Harbor, it didn’t offer enough protections to EU citizen data from US surveillance laws.
The ECJ ruled that data protections in the US are not equivalent to those required under EU law because of the “limitations on the protection of personal data” along with the access and use of personal data by US public authorities satisfies requirements. The ECJ ruled the current system did not provide data subjects actionable rights before the courts against the US authorities and so should be invalidated.
Standard contractual clauses remain
The court did rule, however, that standard contractual clauses (SCCs) remain valid. These standardized templates of data protection requirements will be the most likely replacement option for companies affected.
The ECJ ruling noted that assessment of SCC agreements must not only consider the protections guaranteed in the contract, but also the potential for access by authorities of the destination country and the legal system of that third country. It also stated that Data Protection Authorities (DPAs) are “required to suspend or prohibit a transfer of personal data to a third country” where SCCs are not or cannot be complied with in that country and the protection required by EU law cannot be ensured. This leaves companies open to the possibility that local DPAs might invalidate SCCs if they feel data could be subject to local surveillance laws that affect EU citizens. DPAs have always had the power to invalidate SCCs, but the new ruling will compel them to use that mechanism.
Binding corporate rules remain unaffected but are costly and require a lengthy process to put in place and likely an impractical option for all but the largest companies.
Even with the fall of Privacy Shield and where no SCCS are in place, personal data can be transferred where “necessary” – for example via an email from the data subject or when booking hotels in destination countries etc – or where the data subject is providing clear consent for a company to move data over to the US. This ruling is most likely to affect companies that pass data from an entity in the EU to the parent company outside the region or to a third party that hosts or processes the data outside the Union.
Ruling means more compliance burdens for CISOs
Companies that were reliant on Privacy Shield will likely have to look toward SCCs to ensure they have a legal way to send personal data from the EU to the US. Where Privacy Shield was a single set of compliance requirements for all personal data, SCCs are specific to each data flow, meaning a single organization can have dozens or even hundreds of SCCs in place. There are multiple SCC templates, which gives room for manoeuvre within in them.
The data protection requirements between Privacy Shield and SCCs will likely be similar. As blanket coverage will now be replaced with multiple agreements, there is an increased burden of ensuring each data flow is compliant.
CISOs should work with their data protection officers (DPOs) and legal department to understand data flows across the company, any data protection demands from SCCs that deviate from those previously in place under Privacy Shield, and ensure the compliance to each is documented in case it is challenged.
Where possible it may be beneficial to reassess what data is received from the EU and where it may make more sense for it to remain within the EU territory in order to reduce compliance burdens.
IDG News Service