The EU-US Privacy Shield Invalidated: What This Means for You

  • by Noah Ramirez, JD / CIPP
  • last updated July 29, 2020
The EU-US Privacy Shield Invalidated: What This Means for You

On July 16, 2020, the European Union Court of Justice (CJEU) invalidated the EU-US Privacy Shield in its decision in Facebook Ireland v. Schrems (Schrems II). The court determined that the Privacy Shield transfer mechanism does not comply with the level of protection required under EU law. 

This case is the latest development in a long-running battle in the Irish courts and the CJEU involving Facebook, Austrian privacy advocate Max Schrems, and the Irish Data Protection Commission. The decision will impact thousands of companies in the EU and the US and drastically change the way we trade data across the Atlantic.

The decision reinforces the European Union's commitment to protecting its citizen's data. It's also a great example of how the General Data Protection Regulation's influence extends well beyond the EU. In this article, we'll help you understand the court's decision and how it affects you.

What Is Privacy Shield?

The Privacy Shield is a framework approved by the European Union and US government for complying with EU data protection requirements when data is transferred between the United States and the European Economic Area (EEA). It's not mentioned in the General Data Protection Regulation (GDPR), but it was spun out of GDPR as a way to meet the regulation's requirements.

Organizations are deemed to provide "adequate" protection of personal information as required by the GDPR if they abide by the seven Privacy Shield principles. 

  1. Notice - Organizations must publish privacy notices with specific information about their privacy practices, their participation in the Privacy Shield framework, and how they collect, use, and share the data of EU residents.
  2. Choice - Opt-in consent is required before organizations can collect personal information, process it, or share it with third parties. Individuals must have a mechanism to opt-out of all of these activities.
  3. Accountability for Onward Transfer - Organizations must enter into contracts with third-party data processors which require them to process or transfer personal data in a manner consistent with Privacy Shield.
  4. Security - Organizations must take steps to protect personal data from loss, misuse, disclosure, alteration, unauthorized access, and destruction.
  5. Data Integrity and Purpose Limitation - Organizations must limit data processing to the purposes for which it was collected and ensure that personal data is accurate, complete, and current.
  6. Access - Data subjects must have a mechanism to request access, correct, amend, or delete information the organization collects about them.
  7. Recourse, Enforcement, and Liability - This principle addresses the remedy for individuals affected by non-compliance, consequences to organizations for non-compliance, and compliance verification.

The CJEU's Privacy Shield Decision

Schrems' original complaint questioned whether the Privacy Shield and the Standard Contractual Clauses (SCCs) provide sufficient safeguards to personal information when it enters and/or leaves the EU. The court ruled that Privacy Shield does not meet the GDPR's standard. SCCs meet the standard sometimes, but not always. 

As you can imagine, the decision is exceedingly complex, but the court had two main problems with Privacy Shield.

The first issue is that US law enforcement can gain access to personal data that is transferred under Privacy Shield. The court argues that US policies prioritize national security over the rights and freedoms of EU data subjects. They claim law enforcement can access more data than what is strictly necessary, which violates the GDPR.

Safe Harbour failed at the CJEU several years ago for the same reason: NSA and similar agencies have excessive access to personal data.

The second issue is that Privacy Shield requires the appointment of an ombudsperson. The position exists, but the appointee lacks the authority to make binding decisions on US government and intelligence agencies, which means EU data subjects lack actionable rights in the US court system against government violations. This conflicts with EU law that requires EU data subjects to have a redress mechanism for privacy violations. 

The result: Privacy Shield is no longer a valid lawful basis on which to transfer personal data from the EU to the United States.

The CJEU's decision also places some scrutiny on SCCs. SCCs are still valid, but whether they constitute a lawful basis for transferring personal data to a jurisdiction without an adequacy decision depends on whether the jurisdiction affords "a level of protection essentially equivalent to that guaranteed within the EU." The data exporter and importer must ensure there is an adequate level of protection for personal data in the importer's jurisdiction. 

Given the court's findings on US surveillance laws, a future case might deem transfers to the United States based on Standard Contractual Clauses invalid because they fail to meet that "essentially equivalent to that guaranteed within the EU" standard. The same risk would apply to transfers with any country with broad surveillance programs that don't meet the GDPR's rules. For the time being, however, SCCs are still valid.

The US Department of Commerce has expressed deep disappointment in the invalidation but is willing to work with the EU Commission and Data Protection Board. Further, the Department of Commerce hopes to "limit the negative consequences to the $7.1 trillion (trans-Atlantic) economic relationship that is vital to our respective citizens, companies, and governments." European Commission authorities share this interest in collaboration.

What This Means For You

If you rely on Privacy Shield to transfer data with the EU, you must either stop your transfers or adopt a different GDPR-approved mechanism. That said, your existing commitments to the Privacy Shield remain enforceable by the US Federal Trade Commission. As far as the US is concerned, you still have to comply with the Privacy Shield.

Standard Contractual Clauses are the solution to this issue. They are still valid mechanisms for ensuring that a vendor provides the necessary data protection. 

If you're transferring within a corporate family, you can use GDPR-approved binding corporate rules, which are terms pre-approved EU authorities that multinational organizations can use as their own internal rules. You can also receive explicit consent from data subjects for each transfer or transfer scheduled by a contract. 

How Osano Helps

If you use Osano to manage your business' privacy compliance, you do not need to be concerned about the invalidation of Privacy Shield. We ensure transfers are secure and lawful. We use Standard Contractual Clauses necessary to ensure you have liability protection and data processing protections to satisfy the transfer requirements.

As a privacy company, Osano's entire platform is purpose-built to meet the needs of even the most security and compliance-conscious customers. We have thousands of well-known EU users who have vetted our process and practices. We can provide you with the same level of comfort. 

Osano’s platform is compliant with the new regulations. Speak with your account executive or your account manager to learn how Osano can be implemented in compliance with the new ruling. If you haven’t yet connected with our support team, you can get started today.

Noah Ramirez, JD / CIPP

About The Author · Noah Ramirez, JD / CIPP

Noah is an Osano staff attorney focusing on data privacy best practices, legislative monitoring, and policy monitoring. When he's not writing about or researching data privacy Noah enjoys rock climbing and yoga.