Privacy Shield invalidated by European Court: impacts & solutions

Invalidation of the Privacy Shield: impacts and solutions

In July 2020, the Court of Justice of the European Union (CJEU) delivered a verdict in the case under the name Schrems II (C-3111-18), in which personal data transfer mechanisms between the EU and the United States were contested. The prevailing argument was that US legislation insufficiently guaranteed protection for personal data from the UE in conformity with GDPR law.

Let's take a look at this decision and its impact for European organisations and businesses.

***

GDPR gUarantEes AND THE LINK TO THE Privacy Shield

GDPR obliges private and public organisations to: "ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the Union or in a third country".

Enterprises and organisations must therefore assume responsibility for:

1. 1. Ensuring the protection of personal data during processing or storage, including during the transfer of this data to service providers or sub-contractors.
  2. Guaranteeing the right of individuals to initiate recourse including when data is transferred outside of the EU.

The legislation specifies that in the absence of an equivalent local GDPR, these transfers must be bound by Standard Contractual Clauses (SCC).

The Privacy Shield was one of many SCCs adopted by the European Commission to frame the conditions of data transfer outside of the EU in this instance to the United States.

***

THE PRIVACY SHIELD, A SELF-CERTIFICATION GUARANTEE

In August 2016, the European Union recognized the Privacy Shield as being in conformity with its General Data Protection Regulations. This directive has since been replaced by GDPR.

This data protection shield enabled US companies to provide adequate guarantees for the protection of personal data of EU origin.

***

THE DECISION OF THE COURT OF JUSTICE OF THE EU

The decision of the CJEU invalidates the Privacy Shield agreement on the on the very basis of its raison d'être:

"The Court holds that... competent supervisory authorities are required to suspend or prohibit a transfer of personal data to a third country where they take the view... that the standard data protection clauses are not or cannot be complied with in that country and that the protection of the data transferred that is required by EU law cannot be ensured by other means, where the data exporter established in the EU has not itself suspended or put an end to such a transfer"

The American system, by virtue in particular of the Patriot Act and more recently the Cloud Act, allows, for security reasons, US public authorities to access and exploit data without prior notification or authorization from the data owner. This applies to European data stored in the US, but also data stored by an American provider (such as Google, Microsoft, Amazon) even if the data is physically stored in Europe.

The CJEU also argues that the Privacy Shield does not guarantee the right of effective recourse against the American authorities. The fundamental rights of those persons whose data is transferred are therefore not guaranteed.

Changes are also possible to the text of the Privacy Shield itself (discussions between the U.S. Department of Commerce and the European Commission have just started), but how quickly these talks progress before the American presidential elections is anyone's guess.

Many voices are already demanding a major overhaul of laws governing data in the United States arguing that the current texts are out of date in relation to the current speed of technological change.

***

Impact ON EUROPEAN FIRMS

end of the privacy shield This decision shatters the framework that allowed European companies and public administrations to legally transfer personal data outside the perimeter protected by GDPR law.

Organisations that have transferred data to one or more of over 5000 American solutions (SaaS applications, data hosting or other cloud services) and who are signatories of the Privacy Shield, are effectively operating illegally and must start looking for solutions to ensure legality is restored. We should note that the CJEU has not provided a framework for a return to conformity and that GDPR texts state that sanctions can reach 20 million euros or 4% of global revenues.

What options do I have?

* Renegotiate service charges with the providers – This first option comprises a renegotiation of data transfer clauses with your service providers. Ideally, the provider will undertake to be transparent regarding US government requests.

A number of major software vendors such as Microsoft have shown willingness to fight to change the law by challenging data access orders and claiming the right to inform their customers. But which vendor has the time and money to go before an American court for each client request?

Even with guarantees of notification or information offered by this kind of clause, the problem is not totally resolved because, as the CJEU ruled, there is a limit to the American legal system's right of recourse that can be afforded to data owners. In other words, it goes far beyond just a matter of simple notification.

In conclusion and despite what some American service providers may say, the law does not currently allow for a return to legality within a reasonable amount of time.

- - -

* Second option -- Many have asked their American service providers to relocate their data centers in Europe. It's a nice idea because it would mean that the existing service is maintained after requesting the provider to relocate to a European data center.

Except that, legally, the localisation of data centers in Europe, be they AWS, Microsoft, Google or any other, in no way protect data from a legal request emanating from American judiciary (refer to the extraterritoriality clauses contained in the Patriot Act and Cloud Act).

- - -

* As such, the best option is to return data to European data centers but with a 100% European provider.

Whether or not your primary motivation is to begin your journey towards “European digital governance”, the first step will be to find alternative European solutions. Several initiatives have already been launched to identify these “trusted sovereign solutions” including the ECA (European Champions Alliance).

It will then be necessary to prepare the migration of data to the new service and depending on the volumes concerned, this can take time. Having the support of experienced teams and the power of tested solutions will provide additional security regarding your ability to keep this project under control while ensuring data integrity and protection.

***

WHAT NEXT?

One thing is clear, the first action is to create a working group within the organisation, with the goal of establishing an action plan which brings you back into an acceptable legal framework.

In the absence of a rapid and simple solution, the communications between members of this working group will demonstrate that you are aware of the problem and are actively looking for solutions.

***