Schrems II – It’s Not Just Travel That’s Now Restricted between Europe and the US

On July 16, 2020, the European Union’s Court of Justice (“CJEU”) ruled that an important provision of the EU-U.S. Privacy Shield (“Privacy Shield”) allowing companies to lawfully transfer personal data from the EU to the US is invalid. Companies must now reevaluate their data privacy protocols to ensure they are in compliance with GDPR.

In delivering their ruling, the CJEU states that the Privacy Shield, in place since 2016, could potentially expose customers’ data to US government surveillance. As the court put it in a press release:

The limitations on the protection of personal data arising from the domestic law of the United States, on the access and use by US public authorities of such data transferred from the European Union… are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law.

The brass tacks here is that US companies doing business in Europe or receiving data from European clients will either have to negotiate new individual data-handling arrangements, called Standard Contract Clauses (“SCC”), with the EU or stop transferring data from European operations into the US. One nuance here is that the ruling applies to data that companies such as Google transfer to US servers for their own purposes, but it does not affect “necessary” data transfers, such as when a European citizen books a travel on a US website.

Not the First Rodeo with EU – US Data Transfers

Back in 2000 (remember the flip phone days?), an agreement governing the sharing of EU customer data between Europe and the United States was called Safe Harbor. However, following revelations from Edward Snowden and a legal challenge from Maximillian Schrems, the CJEU invalidated Safe Harbor in 2015. Schrems alleged the Safe Harbor agreement (which permitted NSA access to EU citizens’ personal data, a fact brought to light by Snowden) stood in conflict with EU law.

Privacy Shield was quickly drafted in the wake of the Safe Harbor invalidation, and the European Commission adopted it in 2016. Even prior to its adoption, EU regulators warned that “Privacy Shield, as it stands, is not robust enough to withstand future legal scrutiny before the court.” Regulators also warned at the time that Privacy Shield might be in conflict with Europe’s sweeping privacy law, the General Data Protection Regulation (“GDPR”).

Schrems, the plaintiff who helped invalidate Safe Harbor, was also the intervening party in this case to invalidate Privacy Shield. Afterwards, Schrems stated “It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market. This judgment is not the cause of a limit to data transfers, but the consequence of US surveillance laws.”

How are US Companies Responding?

Major US tech companies quickly tried to perform damage control, with many stating that the ruling will not materially affect their European operations. Companies like Microsoft and Facebook posted messages assuring customers that they would not see a significant change in their usage, and that they plan to “work proactively with the European Commission and the US government to address the issues raised by the ruling.”