BREAKING: E.U. High Court Invalidates Privacy Shield
On July 15, 2020,
the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield as a mechanism for managing data transfers between the European Union and the United States (and other countries). For many of our clients, EU-US data transfers are a significant component of business operations, and these transfers are currently undertaken through Privacy Shield mechanisms. By our count, more than 5,000 companies currently use the Privacy Shield data transfer framework, and the CJEU decision could require these companies to reassess their data transfer governance.
Ice Miller’s Data Security and Privacy team has more information on the case below.
Case Background
Informally referred to as
Schrems II, the CJEU decision is a sequel to
Schrems I, a 2015 case against Facebook Ireland that invalidated the U.S.-EU Safe Harbor Framework because it offered an inadequate level of protection around personal data transferred. The European Commission and the U.S. Government then agreed on a replacement regime, the EU-US Privacy Shield, which was supposed to provide an adequate framework to address the data transfer issues. However, the CJEU has now determined that Privacy Shield is invalid as it too falls short of offering adequate data protection.
What Does Schrems II Mean For Your Company?
First, we would like to note the CJEU did affirm that Standard Contractual Clauses (SCC) established in third countries—a key component of the prior framework for transfers of personal data—
remains valid, potentially a helpful development. SCCs established in third countries offer one potential vehicle in the short term for mitigating the impact of
Schrems II. Data controllers wanting to rely on SCC will have to carry out an assessment of the data protection afforded by the country where the data will be sent—and if they determine that the level of protection is not at least the same as protections offered under EU laws, controllers are required to suspend data transfers. According to the CJEU, the validity of certain SCCs depends on whether there are “effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by EU law and that transfers of personal data . . . are suspended or prohibited” should these mechanisms be ignored or impossible to honor. If you currently use SCCs, our team can help you complete that assessment.
Schrems II unfortunately also obligates EU regulators to suspend or prohibit data transfers to and from countries with inadequate data protection regimes—which currently includes the U.S. Because transatlantic data transfers account for over $7 billion annually, the notion that regulators may freeze transfers with inadequate protections is certainly worrisome for companies of all sizes and scope, not just tech giants like Facebook. Many informed observers expected that, given the strong likelihood that the CJEU would invalidate Privacy Shield, the European Commission and the U.S. Government would have had some options prepared for this eventuality—so far, however, it appears that the two sides will likely be trying to pick up the pieces of a shattered policy framework that required lengthy and difficult negotiations.
Moving Forward
The decision understandably creates uncertainty in an already confusing time. We do expect there will be an effort to fashion a transition period with frequent updates and guidance from the CJEU and the European Commission. Our Data Security and Privacy team is assessing the impact and focusing on ways we can assist companies to transition from Privacy Shield and toward other forms of data transfer governance. Although today’s decision will likely require a reassessment of data transfer frameworks, our team can ensure any changes will be made after careful attention to these updates and to a company’s specific needs. In the meantime, if you have any questions or concerns, please do not hesitate to contact a member of our team.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances.
Guillermo Christensen is a partner in Ice Miller’s Data Security and Privacy and White Collar Defense Groups. Guillermo combines his experience as an attorney, a former CIA intelligence officer and a diplomat with the U.S. Department of State to shape and inform the advice he provides to clients on various enterprise risks involving cybersecurity and national security law.
Nick Merker chairs Ice Miller’s Data Security and Privacy Practice and leads the Firm’s Esports and Video Game Law Practice. Nick’s experience is unique, as he is one of a handful of lawyers in the country who worked as a computer systems, network and security engineer for 10 years before practicing law.
Mason Clark is an associate in Ice Miller’s Data Security and Privacy Group. He has a Master’s degree in Cybersecurity Risk Management, and he is a frequent presenter on data security and privacy issues at conferences and presentations across the country.