Law & Public Policy Blog

ECJ Pierces the EU-U.S. Data Privacy Shield, Complicating Transatlantic Data Sharing Mechanisms

Suzanne Bernstein, Law & Public Policy Scholar, JD Anticipated May 2022

A recent, landmark decision from the European Court of Justice (ECJ) will have a lasting impact on the transatlantic economic relationship, which is worth nearly $7.1 trillion. On July 16, the ECJ invalidated the EU-U.S. Privacy Shield, the agreement that has governed the transfer of EU citizens’ personal data to the United States since 2016. Over the past twenty years, a series of distinct EU and U.S. regulations and EU-U.S. agreements concerning personal data have come into force, resulting in an ebb and flow of personal data transfers between the European Union and the United States over that period. Central to that instability is an incongruency of social values and legislative priorities between those entities. Whereas the protection of personal data is a fundamental right of EU citizens, the United States does not have a comprehensive personal data privacy regulatory regime at the federal level.

Timeline

To evaluate the momentum behind this court decision, it is helpful to understand the past twenty years of data sharing agreements between the United States and the European Union. From 2000 to 2015, EU-U.S. personal data transfers were regulated by the Safe Harbor Privacy Principles, a framework designed to prevent private entities from accidentally disclosing or losing the personal information of their customers. However, in 2015, two years after former NSA contractor Edward Snowden revealed that U.S. government surveillance programs were engaged in the bulk collection of personal data, Austrian activist Max Schrems, inspired by Snowden, sued Facebook Ireland in the ECJ. In his complaint, Schrems alleged that the United States did not offer sufficient protections for personal data of his that Facebook was transferring from the European Union to the United States for processing. The ECJ agreed and invalidated the Safe Harbor agreement in October 2015.

Shortly following that decision, the European Union and the United States implemented the EU-U.S. Data Privacy Shield as a replacement for the Safe Harbor. In 2016, prior to adopting the new agreement, the European Commission held that the Privacy Shield data transfer framework, which it had negotiated with the U.S. Department of Commerce, met the requirements set out in the ECJ’s 2015 decision that invalidated the Safe Harbor. Used by over 5,300 firms as of May 2020, the Privacy Shield facilitated unrestricted commercial data flows between the European Union and the United States, and therefore provided the foundation for transatlantic digital trade between 2016 and 2020. Finally, two years into the Privacy Shield’s tenure, the European Union passed a comprehensive scheme of data regulations: the General Data Protection Regulation (“GDPR”). Presumably, the enactment of the GDPR further exposed and widened the schism between data privacy regulations in the European Union and the United States.

Invalidating the Privacy Shield

In the ECJ’s decision on the Privacy Shield, which was issued in July, the court held that the Privacy Shield does not provide adequate protection for EU citizens’ personal data. Specifically, the court reasoned that current U.S. law does not satisfy requirements that are equivalent to EU data privacy laws, some of which protect personal data from government surveillance programs. Additionally, the court explained that the Privacy Shield does not provide EU citizens whose data had been transferred to the United States with actionable rights before U.S. courts.

The two main considerations for the court concerned the level of protection required by the GDPR in connection with data transfers, and the obligations of supervisory authorities—the entities tasked with monitoring the application of the GDPR to protect the fundamental rights of EU citizens in the scope of personal data processing—if the protection is insufficient. The court held that EU citizens must be afforded a level of protection equivalent to their rights under the GDPR. Importantly, even though the GDPR was enacted two years after the Privacy Shield agreement was implemented, the United States has yet to introduce a similar, comprehensive data privacy regulation. Therefore, protections for EU citizens’ data under U.S. law are not currently equivalent to those under the GDPR. In accordance with that holding, the court then instructed supervisory authorities to suspend or prohibit a data transfer to another state if the data protection laws in that state do not comply with EU law.

Impacts of the Decision

Wilbur Ross, the U.S. Secretary of Commerce, lamented that he was deeply disappointed in the ECJ ruling, but noted that the Commerce Department would remain in contact with the European Commission in order to limit any potential economic fallout from the decision. In addition, the Commerce Department indicated that it would continue to administer the Privacy Shield framework, and that participating organizations would not be relieved of their obligations under the program. Further, as a matter of EU law, companies previously relying on the Privacy Shield framework can transition to using Standard Contractual Clauses (“SCC”) for purposes of entering into agreements concerning the export of EU citizens’ data to non-EU countries deemed to have insufficient data protection standards. The SCC are a set of model contracts, written by the European Commission, that are designed to ensure that sufficient safeguards concerning data protection are put in place with respect to EU citizens’ data that is transferred internationally. An SCC is executed between an EU-based data exporter and a non-EU-based data importer for purposes of creating those protections. While affected companies, like Facebook, may have issues complying with those non-negotiable clauses, other companies, like Microsoft, already incorporate SCCs into their contracts.

Obviously, this ruling creates a tremendous amount of work for corporate legal departments. Interrupting the flow of data between the United States and the European Union could have a widespread, negative economic impact. However, the long term implications of the court’s decision are not yet clear, as groups from both sides of the Atlantic will soon return to the negotiating table.