Published on July 17th, 2020 📆 | 7179 Views ⚑
0EU court kills Privacy Shield, wreaks havoc on digital economy
The EU court decision in the Schrems II case that effectively kills the Privacy Shield pact hammered out four years ago between the U.S. and EU could cripple multinational companiesâ ability to operate as they scramble to scrutinize their data transfer mechanisms.
âThis is a stunning and completely unexpected decision. In invalidating the Privacy Shield framework, the European Court of Justice has jeopardized the ability of thousands of companies to do business in the EU,â said Lisa Sotto, head of the global privacy and cybersecurity practice at Hunton Andrews Kurth. âThis decision not only topples a well-ensconced data transfer regime that is relied on by over 5,000 U.S. companies, but it also calls into question the ability of multinational companies to transfer data to the U.S. under any mechanism.âÂ
But Steve Durbin, managing director of the Information Security Forum (ISF), said Schrems II âwas always going to be a major test for the Privacy Shield,â so for many, the decision âhas come as no surprise that the European Court of Justice has responded in this way,â considering the jumble of state privacy laws currently governing personal data in the U.S.
The ECJ essentially agreed with Austrian privacy advocate Max Schrems, who claimed that the privacy pact didnât protect EU citizens from being spied on by the government, pointing to U.S. national security laws allowing surveillance of foreign nationals.
The then 28 members of the EU gave their approval to a rejiggered EU-US Privacy Shield Agreement in July 2016, but privacy advocates stressed the pact would likely be challenged in court, much like its predecessor, the Safe Harbor agreement, which the ECJ earlier struck down in response to a previous Schrems case brought in the wake of former CIA subcontractor Edward Snowdenâs revelations that the NSA was running a covert program that spied and collected data on U.S. citizens.
In todayâs decision, the court said U.S. surveillance laws âare not limited to what is strictly necessary.â
âThis judgment is the second major blow delivered to the U.S. privacy and data protection legal framework by the EU Court of Justice relating to the Snowden disclosures, and in todayâs climate of unstable transatlantic political relationships, it is unlikely to meet with approval in the U.S.,â said Stewart Room, global head of data protection and cybersecurity at DWF.
With the death knell sounded on Privacy Shield, the 5,300 or so companies previously under its protection must rely on standard contractual clauses (SCCs) that Europe uses for companies in other countries and even some U.S. organizations like Microsoft.
âFortunately, there are workarounds to maintain data flows to the U.S., which include the standard contractual clauses. The SCCs and other workarounds can keep data flowing to the U.S., said Room. Those workarounds also mean âadjustments can be made where necessary, to keep data flows to the U.S. alive.â
But businesses that use SCCs still will find themselves âunder the gun,â said Sotto. âWhile the [courtâs] decision kept SCCs in place as a transfer tool, there are new and immediate obligations that companies relying on SCCs for their data transfers will need to reconsider, particularly with respect to transfers to the U.S. Having SCCs in place is not a get-out-of-jail-free card.â
The courtâs action also has created a good bit of uncertainty for the companies once covered by Privacy Shield, and privacy advocates questioned the timing of the ruling. âThe impact on business? Not great,â said Durbin. âAt a time when many businesses are doing all they can to remain open and trading post-pandemic as we head into one of the worst global recessions for some time, this additional compliance burden is something many could have well done without.â
Eline Chivot, senior policy analyst at ITIFâs Center for Data Innovation, slammed the decision as ânothing short of irresponsibleâ coming during the pandemic when âglobal data flows are more vital than ever.â
Bridget Treacy, data privacy partner at Hunton Andrews Kurth, called on EU regulators âto adopt a pragmatic approach to enforcement, allowing businesses a period of grace in which to implement alternative arrangements to the Shield in order to continue to lawfully transfer personal data from the EU to the U.S.â and to provide âurgent guidance from regulators on transition arrangements.â
For the time being, companies must protect themselves. Sotto said that organizations âthat relied on the Privacy Shield will immediately need to shift gears and put another data transfer mechanism in place.â
In the short term, companies, in addition to consulting their legal counsels, must âmake sure they have a clear understanding of whose data they have, what is their residency, where it is stored, where that data center is located and maps of where data is flowing,â said BigID Vice President of Privacy & Policy Heather Federman. âIf a multinational corporation can ensure they are accurately tracking personal data, it will significantly minimize the riskâ of negative impact from this decision.
Europeâs strict privacy regulations can help protect companies while the EU and U.S. sort out future requirements. âGood practice will require strict adherence to the GDPR rules since without the Privacy Shield companies must adhere to the guidelines set out around its extraterritorial application,â said Durbin.
The courtâs decision should be a rallying call for the U.S. to finally cobble together a national privacy law. âThe patchwork of privacy laws that make up the various rules governing personal data in the United States ranging from the California Consumer Privacy Act (CCPA) through to failed attempts in other states such as the Washington State Privacy Act and New York Privacy Act (NYPA) which both failed to pass their legislative sessions last year⌠point to the long overdue need for a federal law on privacy that at least meets the same level of protection as the GDPR,â said Durbin, who doubts such national legislation will be forthcoming. âFederal lawmakers have traditionally shied away from such a move preferring to hand responsibility for enforcement to state attorneys-general.â
Although the ruling applies to transfers between the U.S. and EU, its implications spread well beyond the U.S. âTwice now the European Commission has tried to reach an agreement with the U.S. on data protection, only to have its efforts ruled unlawful,â said Room. âThere needs to be a different mindset to how the challenges of international transfers to the U.S. are met, because failed schemes like this have significant impacts for individuals and for businesses.â
In regard to SCCs, the court likely puts âEU trade at risk with other third countries such as China and Russia, which also donât have a judge examining each part of national security surveillance,â said Peter Swire, Alston & Bird privacy and data security practice senior counsel and a former privacy negotiator with the EU, who pointed to Chinaâs paucity of limitations on surveillance.
âIf the E.U. doesnât assess third country law, national data protection authorities are in a weak position to make decisions about which third countries lack essential equivalence to the E.U. legal standards,â said Swire, who testified as an expert witness during the trial phase of the case and also testified at the invitation of European data protection officials after the 2015 Schrems decision. âThe DPAs typically have no access to national security expertise at the top-secret level and lack the resources to assess third country legal systems in a fair and comprehensive way.â
Pressing for the E.U. to offer âsome Europe-wide mechanism to have an informed process about third country surveillance regimes,â Swire said, âIf you take a step back, it is extraordinary to think that the individual in one country has a right to have a judge in a different country examine all of the surveillance relevant to that individual. That is contrary to how intelligence actions have worked since the dawn of time.â
Gloss