Privacy and data security continue to make headlines and this time the waves are coming from the European Court of Justice (i.e., the highest court of the European Union). Without comprehensive U.S. federal privacy legislation, it is of little to no surprise (albeit disappointing) that the European Court of Justice (the “Court”) invalidated the EU-U.S. Privacy Shield Framework because it failed to impose appropriate safeguards with respect to the transfer of personal data located in Europe to the United States.

What is Privacy Shield and What Happened to Change it?

The EU-U.S. Privacy Shield Framework (“Privacy Shield”), as stated on the official government website, “was designed by the U.S. Department of Commerce and the European Commission…to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union…to the United States in support of transatlantic commerce.”

The European Commission deemed Privacy Shield an acceptable transfer mechanism on July 12, 2016, and it quickly became a replacement for the prior Safe Harbor Framework, which the Court struck down in 2015. The majority of US organizations transferring personal data from the EU to the U.S. over the last several years have taken advantage of Privacy Shield self-certification and/or Standard Contractual Clauses.

Four years later on July 16, 2020, the Court invalidated the European Commission’s decision above to validate Privacy Shield as an appropriate transfer mechanism. This decision is effective immediately. Entities that rely on Privacy Shield as a data transfer mechanism in the European Union will need to transition to a different transfer mechanism.

What was the Court’s Finding?

In evaluating Privacy Shield’s adequacy, the Court focused on whether Privacy Shield really could provide appropriate safeguards for the transfer of personal data. As mentioned by the Court, the purpose of appropriate safeguards is to maintain the high level of protection afforded to personal data of data subjects in the EU even when that personal data is transferred to a country outside of the EU. In sum, the Court concluded Privacy Shield does not maintain a high level of protection that is equivalent to protection afforded to personal data in the EU. As a result, Privacy Shield cannot provide appropriate safeguards and is an invalid mechanism for transferring personal data of data subjects in Europe to a U.S. location.

The Court’s ruling is based on the Court’s evaluation of (i) the potential for U.S. government access to transferred personal data as permitted under various U.S. laws, (ii) the lack of enforceable data subject rights, and (iii) the lack of adequate remedies for data subjects.

The Court states that U.S. law affords U.S. government agencies and government surveillance programs rights that, if acted upon by an EU Member State, would result in the Member State being in violation of EU data protection laws. For example, the Court notes, the United States Attorney General and the United States Director of National Intelligence have the right, based on annual authorization, to surveil individuals located outside the U.S. who are not U.S. citizens or permanent U.S. residents. Entities cannot use Privacy Shield to deny a request from U.S. intelligence authorities to access personal data because the U.S. intelligence authorities are not bound by Privacy Shield. As such, the Court found, compliance will not protect transferred personal data of data subjects in Europe against interferences by U.S. intelligence authorities.

In addition, the Court determined, Privacy Shield’s failure to prevent interference from U.S. intelligence authorities impedes the data subject’s ability to exercise their rights afforded under European data protection laws. Again, because U.S. authorities are not bound by Privacy Shield, government agencies like the FBI and CIA can send data requests on certain individuals to electronic communications service providers (e.g., Facebook) under U.S. law. These providers must comply and are not always permitted to disclose their compliance with such requests. Further, the U.S. government entity is generally not required to provide notice to the data subject that it has issued a request for their data from a provider.

Lastly, the Court deemed inadequate the remedies available to data subjects who believe their information was illegally transferred, processed, or shared. The Court found that Privacy Shield and U.S. laws limit a data subject’s rights to those that are contractual and only against the exporter and importer of the personal data. According to the Court, this falls substantially below the remedies afforded to data subjects under European data protection laws.

Given the analysis above, the Court determined that, because Privacy Shield cannot prevent interference from U.S. government agencies and surveillance programs at a level that is equivalent to the rights and remedies afforded data subject under European data protection laws, Privacy Shield is an invalid transfer mechanism in the European Union.

When and How Does this Impact Companies that Rely on Privacy Shield?

As stated above, this decision is effective immediately and companies can no longer rely on Privacy Shield as a transfer mechanism. The Court did validate Standard Contractual Clauses so this will remain an approved transfer mechanism for the time-being. Another option is to use the Binding Corporate Rule. Of course, U.S. organizations currently relying on Privacy Shield will also want to update online and internal privacy policies and agreements that reference Privacy Shield.