The Court of Justice of the EU has declared that the European Commission's adequacy decision in respect of the EU-U.S. Privacy Shield is invalid. The Court's ruling effectively removes a key mechanism that had been widely used to lawfully transfer personal data from the EU to the U.S., and throws into turmoil the cross-border data transfer strategies of many businesses.
EU data transfer restrictions
Both the General Data Protection Regulation ("GDPR") and its predecessor (the now repealed Directive 95/46/EC) set out a general prohibition on the transfer of personal data from the European Economic Area ("EEA") to recipients located outside the EEA. There are a number of data transfer mechanisms and derogations that permit businesses to lawfully send personal data to non-EEA recipients. One of these mechanisms involves an approval from the European Commission, known as an "adequacy decision".
The old EU-U.S. 'Safe Harbor'
In light of the data transfer restrictions in Directive 95/46/EC, the EU and the U.S. negotiated a mechanism known as the "Safe Harbor". This mechanism was designed to permit businesses in the EU to send personal data to U.S.-based recipients that had self-certified to the Safe Harbor, and received an adequacy decision from the European Commission to give it legal validity as a data transfer mechanism. However, in 2015, the Court of Justice of the EU ("CJEU") invalidated the Commission's adequacy decision in respect of the Safe Harbor.
The EU-U.S. 'Privacy Shield'
In response to the demise of the Safe Harbor, the European Commission and the U.S. Department of Commerce set about negotiating a new arrangement that would take the place of the Safe Harbor, while addressing the issues raised by the CJEU. In February 2016, it was announced that agreement had been reached on a new mechanism, to be known as the EU-U.S. Privacy Shield. The Privacy Shield operated on a similar basis to the Safe Harbor, but was designed to provide greater rights and protections to individuals whose personal data are transferred to the U.S. The Privacy Shield subsequently received approval from the European Commission in the form of a new adequacy decision in July 2016 (the "2016 Adequacy Decision").
The CJEU's judgment
In its judgment invalidating the 2016 Adequacy Decision, the CJEU considered several perceived shortcomings of the Privacy Shield mechanism. The CJEU concluded that US law enforcement agencies have wide-ranging access to personal data that are received by Privacy Shield-certified entities in the U.S., and that such access is not subject to equivalent protections to those that exist under EU law. In particular, the CJEU found that access to transferred data by U.S. law enforcement agencies is not subject to the principle of proportionality and is not limited to what is strictly necessary.
The CJEU also held that there is no mechanism that enables individuals to bring complaints about the processing of their personal data in a manner equivalent to the rights that exist under EU law. The CJEU considered the role of the Privacy Shield Ombudsperson and concluded that the Ombudsperson mechanism does not provide sufficient guarantees regarding the protection of personal data when transferred to the U.S. under the Privacy Shield mechanism.
Accordingly, the CJEU held that the 2016 Adequacy Decision was invalid.
Impact on businesses
The CJEU's ruling means that businesses in the EEA will no longer be able to transfer personal data to a recipient in the U.S. in reliance on that recipient's Privacy Shield certification. Because the CJEU's ruling takes immediate effect, many businesses that had been relying on the Privacy Shield as their primary justification for transferring personal data to the U.S. will need to implement an alternative transfer mechanism.
The options available to businesses are limited. The most common alternative transfer mechanism is likely to be the EU's Standard Contractual Clauses ("SCCs") (which contractually impose certain GDPR-like compliance obligations on the non-EEA recipient of the transferred data). SCCs are very quick to implement, and can provide an appropriate solution for many businesses that are now unable to rely on the Privacy Shield. However, SCCs do not cover every type of cross-border data transfer and can be seen as inflexible.
Binding Corporate Rules ("BCRs") offer an alternative solution for intra-group personal data transfers only, and permit much greater flexibility than SCCs. However, BCRs require pre-approval from EU Data Protection Authorities ("DPAs"), and such approval typically takes several years to obtain. Certainly, BCRs will not provide a quick replacement for the Privacy Shield.
Article 49 of the GDPR also provides a series of derogations from the general prohibition on transfers of personal data to non-EEA recipients, and these derogations could apply to certain kinds of transfers – notably where the affected individuals have explicitly consented to the transfer. However, reliance on these derogations requires a case-by-case analysis.
For some businesses, it is possible that none of the available transfer mechanisms will provide a suitable replacement for the Privacy Shield. The key lesson learned from the CJEU's 2015 ruling invalidating the Commission's adequacy decision in respect of the old Safe Harbor mechanism is not to panic. DPAs did not rush to enforcement when businesses lost the ability to rely on the old Safe Harbor, and there is no obvious reason why they should do so now. In the small number of enforcement cases that were made public, many resulted from businesses self-reporting non-compliant data transfers to a DPA. Claims by affected individuals were limited in number, in comparison to the number of businesses affected.
It is also foreseeable that the European Commission will attempt further negotiations with the U.S. Department of Commerce to explore the possibility of amending or replacing the Privacy Shield in order to address the perceived deficiencies identified by the CJEU. In the interim, businesses would be well advised to identify compliance gaps in their data transfer strategies caused by the CJEU's ruling, implement alternative transfer mechanisms where feasible, wait for further regulatory guidance, and avoid self-reporting to DPAs wherever possible.
Khadija El-Leithy, a Trainee Solicitor at White & Case, assisted in the development of this publication.
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2020 White & Case LLP