This issue is a big deal, but one that comes as little surprise to those following subject. As you may have already heard, the Court of Justice of the European Union (ECJ) recently ruled that the current data transfer agreement between the European Union and the United States known as the “Privacy Shield” did not provide adequate protections for the data of EU citizens when such data is transferred to the United States. That’s right — barely four years old, the Privacy Shield in its current form is dead. This is not the first rodeo when it comes to United States-European Union data-transfer harmonization, but the recent ECJ ruling definitely acts as a second strike and does not bode well for an easy fix to an already complicated situation.
Some necessary background will help provide some understanding why this is a big deal. As I have written here before, there is no comprehensive federal statutory approach in the United States to the privacy of personal information. Such information can be collected without the specific consent of the individual at the outset, subject to specific notice, consent, onward transfer, and other requirements after the fact. The European Union has taken a different approach — it acknowledges that “personal data” is owned by the individual, and the individual must provide informed consent to the use of such personal data. Without getting into the weeds here, suffice it to say that the EU’s focus on the individual resulted in the passage of Directive 95/46/EC (Data Privacy Directive) to protect individuals in the processing of their personal data and and the “free movement of personal data” within the European Union and the European Economic Area (EEA). Simply put, the European Union and United States took different approaches to personal data privacy, causing problems in personal data flow from the European Union to the United States. As a result, the cross-border data flow of personal information from the European Union to the United States needed to be “harmonized.”
The first attempt at this “harmonization” was the International Safe Harbor Privacy Principles developed in the late 1990s to create a framework for private organizations regarding the handling of personal data within the European Union, Switzerland, and the United States to protect it from improper disclosure or loss. This resulted in the U.S. Department of Commerce’s “Safe Harbor” — a way for U.S. companies to “opt-in” and self-certify that they adhered to these principles (as well as 15 frequently asked questions and answers per the Directive), thereby providing “adequate assurances” concerning the privacy of such personal information. Even though the European Commission ruled in favor of the Safe Harbor in 2000, the Safe Harbor was overturned in 2015 in a case brought before the ECJ, in no small part due to the Snowden revelations regarding NSA surveillance and its access to vast amounts of private data in contravention of the International Safe Harbor Privacy Principles.
Following this decision, U.S. companies started relying on standard contractual clauses (SCCs) and binding corporate rules (BCRs) approved by the European Commission to govern such data transfers. Then the General Data Protection Regulation (GDPR) was passed in 2016 as a long-needed update to the Data Privacy Directive, with an effective date slated for May 2018. In the midst of all this, the European Commission and the United States came up with the Privacy Shield to improve data protection for trans-border flows of personal information from EU citizens to the United States post-Safe Harbor. The EU-U.S. (and Swiss-U.S.) frameworks for Privacy Shield “were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.” The European Commission held this framework to be “adequate” so as to permit trans-border flow of personal data from the European Union to the United States (with the Swiss government following suit in January 2017). Fast forward to 2020 (with the GDPR now effective), and low and behold, the Privacy Shield is struck down by the ECJ, invalidating the Privacy Shield framework as inadequate (i.e., it’s Safe Harbor under another name) with no grace period to wind-down. In a way, it’s déjà vu all over again.
Please forgive the blatant skeleton timeline above, but it provides an important contextual point — trans-border flow of personal data from the European Union to the United States has a long history, and not a simple one. U.S. companies now no longer enjoy the streamlined approach for such transfers afforded by the original Safe Harbor and the now-invalid Privacy Shield. Why does this matter? This affects not only large service providers (such as Google) and social media sites (such as Facebook) used worldwide, but many U.S. companies doing business internationally with the EU and EEA. With the GDPR regulatory requirements now in place concerning the transfer of “personal data” from EU “data subjects” to data controllers and data processors outside the EU, this issue is one U.S. companies cannot ignore.
Thankfully, all is not lost. Here is some food for thought:..
IAB Europe’s advertising bidding model uses personal data, EU court rules
After clarification from Luxembourg, the Belgian Court of Appeal will now rule on the case…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
