The EU court decision in the Schrems II case that effectively kills the Privacy Shield pact hammered out four years ago between the U.S. and EU could cripple multinational companies' ability to operate as they scramble to scrutinize their data transfer mechanisms.
“This is a stunning and completely unexpected decision. In invalidating the Privacy Shield framework, the European Court of Justice has jeopardized the ability of thousands of companies to do business in the EU,” said Lisa Sotto, head of the global privacy and cybersecurity practice at Hunton Andrews Kurth. “This decision not only topples a well-ensconced data transfer regime that is relied on by over 5,000 U.S. companies, but it also calls into question the ability of multinational companies to transfer data to the U.S. under any mechanism.”
But Steve Durbin, managing director of the Information Security Forum (ISF), said Schrems II “was always going to be a major test for the Privacy Shield,” so for many, the decision “has come as no surprise that the European Court of Justice has responded in this way,” considering the jumble of state privacy laws currently governing personal data in the U.S.
The ECJ essentially agreed with Austrian privacy advocate Max Schrems, who claimed that the privacy pact didn’t protect EU citizens from being spied on by the government, pointing to U.S. national security laws allowing surveillance of foreign nationals.
The then 28 members of the EU gave their approval to a rejiggered EU-US Privacy Shield Agreement in July 2016, but privacy advocates stressed the pact would likely be challenged in court, much like its predecessor, the Safe Harbor agreement, which the ECJ earlier struck down in response to a previous Schrems case brought in the wake of former CIA subcontractor Edward Snowden’s revelations that the NSA was running a covert program that spied and collected data on U.S. citizens.
In today’s decision, the court said U.S. surveillance laws “are not limited to what is strictly necessary.”
"This judgment is the second major blow delivered to the U.S. privacy and data protection legal framework by the EU Court of Justice relating to the Snowden disclosures, and in today's climate of unstable transatlantic political relationships, it is unlikely to meet with approval in the U.S.,” said Stewart Room, global head of data protection and cybersecurity at DWF.
With the death knell sounded on Privacy Shield, the 5,300 or so companies previously under its protection must rely on standard contractual clauses (SCCs) that Europe uses for companies in other countries and even some U.S. organizations like Microsoft.
"Fortunately, there are workarounds to maintain data flows to the U.S., which include the standard contractual clauses. The SCCs and other workarounds can keep data flowing to the U.S., said Room. Those workarounds also mean “adjustments can be made where necessary, to keep data flows to the U.S. alive.”
But businesses that use SCCs still will find themselves “under the gun,” said Sotto. “While the [court’s] decision kept SCCs in place as a transfer tool, there are new and immediate obligations that companies relying on SCCs for their data transfers will need to reconsider, particularly with respect to transfers to the U.S. Having SCCs in place is not a get-out-of-jail-free card.”
The court’s action also has created a good bit of uncertainty for the companies once covered by Privacy Shield, and privacy advocates questioned the timing of the ruling. “The impact on business? Not great,” said Durbin. “At a time when many businesses are doing all they can to remain open and trading post-pandemic as we head into one of the worst global recessions for some time, this additional compliance burden is something many could have well done without.”
Eline Chivot, senior policy analyst at ITIF's Center for Data Innovation, slammed the decision as “nothing short of irresponsible” coming during the pandemic when “global data flows are more vital than ever.”
Bridget Treacy, data privacy partner at Hunton Andrews Kurth, called on EU regulators “to adopt a pragmatic approach to enforcement, allowing businesses a period of grace in which to implement alternative arrangements to the Shield in order to continue to lawfully transfer personal data from the EU to the U.S.” and to provide “urgent guidance from regulators on transition arrangements.”
For the time being, companies must protect themselves. Sotto said that organizations “that relied on the Privacy Shield will immediately need to shift gears and put another data transfer mechanism in place.”
In the short term, companies, in addition to consulting their legal counsels, must “make sure they have a clear understanding of whose data they have, what is their residency, where it is stored, where that data center is located and maps of where data is flowing,” said BigID Vice President of Privacy & Policy Heather Federman. “If a multinational corporation can ensure they are accurately tracking personal data, it will significantly minimize the risk” of negative impact from this decision.
Europe’s strict privacy regulations can help protect companies while the EU and U.S. sort out future requirements. “Good practice will require strict adherence to the GDPR rules since without the Privacy Shield companies must adhere to the guidelines set out around its extraterritorial application,” said Durbin.
The court’s decision should be a rallying call for the U.S. to finally cobble together a national privacy law. “The patchwork of privacy laws that make up the various rules governing personal data in the United States ranging from the California Consumer Privacy Act (CCPA) through to failed attempts in other states such as the Washington State Privacy Act and New York Privacy Act (NYPA) which both failed to pass their legislative sessions last year... point to the long overdue need for a federal law on privacy that at least meets the same level of protection as the GDPR,” said Durbin, who doubts such national legislation will be forthcoming. “Federal lawmakers have traditionally shied away from such a move preferring to hand responsibility for enforcement to state attorneys-general.”
Although the ruling applies to transfers between the U.S. and EU, its implications spread well beyond the U.S. “Twice now the European Commission has tried to reach an agreement with the U.S. on data protection, only to have its efforts ruled unlawful,” said Room. “There needs to be a different mindset to how the challenges of international transfers to the U.S. are met, because failed schemes like this have significant impacts for individuals and for businesses.”
In regard to SCCs, the court likely puts “EU trade at risk with other third countries such as China and Russia, which also don’t have a judge examining each part of national security surveillance,” said Peter Swire, Alston & Bird privacy and data security practice senior counsel and a former privacy negotiator with the EU, who pointed to China’s paucity of limitations on surveillance.
“If the E.U. doesn’t assess third country law, national data protection authorities are in a weak position to make decisions about which third countries lack essential equivalence to the E.U. legal standards,” said Swire, who testified as an expert witness during the trial phase of the case and also testified at the invitation of European data protection officials after the 2015 Schrems decision. “The DPAs typically have no access to national security expertise at the top-secret level and lack the resources to assess third country legal systems in a fair and comprehensive way.”
Pressing for the E.U. to offer “some Europe-wide mechanism to have an informed process about third country surveillance regimes,” Swire said, “If you take a step back, it is extraordinary to think that the individual in one country has a right to have a judge in a different country examine all of the surveillance relevant to that individual. That is contrary to how intelligence actions have worked since the dawn of time.”