What Happened to the EU-U.S. Privacy Shield and the Road Forward
On July 16, 2020, Court of Justice of the European Union (CJEU) issued a decision (commonly referred to “Schrems II”) finding the EU-U.S. Privacy Shield as an “invalid” mechanism for transferring personal data from the EU to the U.S.[1] This decision was issued approximately three years after the Privacy Shield, jointly developed between the U.S. Department of Commerce and the European Commission, was deemed an adequate data-transfer mechanism by the European Commission in 2016.[2] More than 5,000 European and American companies are now left to rely on standard contractual clauses (SCCs) for transatlantic data transfers, and the sheer volume of companies affected creates important ramifications for international trade and developments for technologies such as artificial intelligence, which rely heavily on inputs of user data.[3]
While the European Commission deemed that the Privacy Shield provided adequate protection in 2016, the CJEU now nonetheless discovered that the lack of proportionality of U.S. national security surveillance programs might violate the rights of European citizens under the EU Charter on Fundamental Rights.[4] Maximillian Schrems, whose complaint against Facebook later turned into a lawsuit known as “Schrems I,” complained to the Irish Data Protection Commissioner because the company could be ordered by the U.S. public authorities to hand over his personal communications.[5] This security concern is complicated by the fact that EU citizens lack actionable judicial redress in U.S. courts for a lack of standing.[6]
The CJEU decision has already made impacts on tech giants like Facebook. In September 2020, The Irish Data Protection Commission, which is the regulator that oversees Facebook’s actions in Europe, issued a preliminary order for Facebook to suspend data transfer to the U.S., threatening a fine of 4% of its global revenue.[7] As a result, Facebook would have to either reengineer its entire system or shut down its businesses in Europe temporarily.[8]
As companies scramble for alternatives, the “Schrems II” decision permits transatlantic data transfers via SCCs, but companies will have to verify whether the laws in the recipient countries provide adequate protections for EU citizens.[9] In the case of data transfers to the U.S., since the CJEU has already ruled that legal protections are lacking in the recipient country, companies have the burden of conducting a case-by-case analysis by asking: 1) whether the relevant U.S. surveillance programs apply in a particular context, and if so, 2) whether they could remedy any inadequacy by providing additional safeguards.[10] When no adequate safeguards are applicable, data transfers are no longer valid.[11] Some commentators go so far as to suggest that the SCCs are not a viable data transfer alternative, at least in the U.S., given that individuals cannot easily prove that their data are handed to public authorities under secret government surveillance programs.[12]
Members of privacy circles have suggested some directions of reform going forward. Since the “Schrems II” essentially rose out of concerns of US surveillance of personal data belonging to EU citizens and its lack of judicial redress, one way of resolving these concerns is to improve the mechanism for judicial redress.[13] On the one hand, a “credible fact-finding inquiry” into surveillance activities is needed to protect individual rights, such as by the Privacy and Civil Liberties Officers within the CIA that are tasked with investigating allegations of wrongdoing by U.S. intelligence agencies.[14] On the other hand, an independent judicial body such as the Foreign Intelligence Surveillance Court, which has expertise and established procedures in dealing with U.S. surveillance law, could serve as a adjudication body and provide the appropriate redress for injured individuals.[15]
While the U.S. Department of Commerce issued a white paper to assist companies in adjusting to this new reality,[16] it remains to be seen whether a new round of negotiation on an updated Privacy Shield will commence any time soon. Meanwhile, companies, regulators and privacy professionals around the world will continue to learn the impacts and solutions of this “Schrems II” decision.
Footnotes