In July, the Court of Justice for the European Union found that the EU-US Privacy Shield, which protects the data of EU citizens, did not provide sufficient protection against the ability of US public authorities to access that data after it has been transferred to the servers of companies based in the US. This has significant implications for the more than 5,000 current Privacy Shield participants that bulk process data, such as Facebook, Google, TikTok, and also banks and consumer goods companies.
The ruling follows a complaint filed by Max Schrems an Austrian national, against Facebook, which alleges that the law and practices in the United States do not offer sufficient protection against access by the public authorities to the data transferred to Facebook servers in the US.
The EU General Data Protection Regulation (GDPR), established to protect the personal data of its citizens, provides that the transfer of such data to a country may take place only if the country in question ensures an adequate level of data protection. The EU Commission makes its judgment based on three principles:
- By reason of its domestic law or its international commitments, an adequate level of protection exists within the country.
- If the personal data exporter established in the EU has provided appropriate safeguards, and if data subjects have enforceable rights and effective legal remedies.
- The GDPR details the conditions under which such a transfer may take place in the absence of an adequacy decision or appropriate safeguards.
This essentially means that those whose personal data is transferred to another country must be afforded the same level of protection guaranteed within the EU by the GDPR. The GDPR gives watchdogs unprecedented powers and raises potential fines for companies to as much as 4% of global annual sales. The Privacy Shield was also subjected to annual EU-US reviews.
The EU ruling invalidates the Privacy Shield, which has left many industry players scrambling to ensure they are not out of compliance. So, what happens now?
There are ways to move forward, as stated in another part of the EU ruling, by incorporating Standard Contractual Clauses (SCC) for the transfer of personal data to processors. However, the doubts about American data protection also plunges this alternative method into legal uncertainty. Businesses operating under SCCs should be wary of the increased scrutiny regulators will likely apply to such agreements given the perceived inadequacy of US privacy protections in EU courts. The EU decision makes it very difficult for most companies doing business in Europe to outsource significant volumes of data to tech companies in the US for processing or for backup purposes
This isn’t the first time a privacy mechanism between the US and EU has been dissolved. In 2015, the European Commission struck down the US-EU Safe Harbor Framework, the Privacy Shield’s predecessor, on similar grounds. Now that these schemes have been terminated twice, the question companies are asking is, “where do we go from here?”
Most recently, the US Department of Commerce and the European Commission issued a joint statement announcing that they have “initiated discussions to evaluate the potential for an enhanced EU-US Privacy Shield framework,” though they provided few details as to what this might look like.
With the growing scale and sophistication of cyber-attacks, data privacy and cybersecurity will remain a battleground for lawmakers and corporations – as consumers become more aware of the risks and scrutinize how their data is being used.
The US lacks an overarching data protection law at the Federal level, instead, relying on protection processes at the state level, which can be difficult to manage from a compliance perspective. The latest decision by the EU is almost certainly going to drive renewed pressure on the administration to remedy the situation.
If you have any questions or concerns about compliance, please get in touch with Allan Rooney or Sean Hogle in the US or John Nimmo in the UK.
Click here to read more on GDPR and the Privacy Shield.
This article is one of a series intended to de-mystify common legal issues for the non-lawyer and entrepreneur audience – they are designed to foster discussion and is by no means exhaustive. These materials are for informational purposes only. Nothing herein is intended nor should be regarded as legal advice. The distribution of this article to any person does not establish an attorney-client relationship with our firm. Rooney Nimmo assumes no liability in connection with the use of this publication. This bulletin is considered attorney advertising under the applicable rules of New York state. Rooney Nimmo UK is regulated by the Law Society of Scotland and Rooney Nimmo US by the New York rules of professional conduct. All attorneys and solicitors listed in this firm stipulate their jurisdictional limitations. Rooney Nimmo in the USA is a law firm registered as a New York State professional corporation.