What is Privacy Shield?  Since 2016, U.S. companies and organizations receiving personal data relating to individuals in the European Union have relied upon a self-certification program known as Privacy Shield. Rather than enter into numerous agreements and meet other requirements to process the personal data of individuals in the EU, U.S. companies have been able to self-certify to a level of compliance to meet EU law. Privacy Shield serves to address the General Data Protection Regulation’s (GDPR) requirement that adequate safeguards be in place for the protection of transatlantic transfers of personal data and the receiving entity’s handling of that data. Under Privacy Shield, self-certified companies that comply with the agreement’s requirements are considered to have met the EU’s higher standard for data privacy and obtained some level of “adequacy.” Since its implementation, more than 5,300 companies have operated under its terms. The future of Privacy Shield, however, is now in jeopardy.

EU Court holds Privacy Shield to be Inadequate.  On July 16, 2020, Europe’s highest court, the Court of Justice of the European Union (CJEU) held that United States law is inadequate to protect EU citizens’ personal data to the extent that EU law requires. Specifically, the CJEU held that the “limitations on the protection of personal data arising from the domestic law of the United States, on the access and use by U.S. public authorities of such data transferred from the European Union… are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law.” To put it another way, Privacy Shield’s fundamental flaw, according to the court, is not so much that member companies’ practices are inadequate, but rather that the U.S. government cannot be trusted to maintain the confidentiality, integrity, and availability of personal data.  Specifically, the justices found that federal laws such as the Foreign Intelligence Surveillance Act “cannot be regarded as limited to what is strictly necessary” and fails to meet “minimum safeguards” guaranteed by the EU.

So now what?  With Privacy Shield invalidated by the CJEU, no clear guidance currently exists for what comes next for companies covered under the agreement. U.S. Commerce Secretary Wilber Ross has commented that the Department of Commerce is currently studying the decision, and will continue its recognition of the agreement in the meantime. Although U.S. policymakers may be comfortable continuing with Privacy Shield, EU organizations, subject to supervisory authorities, will likely push for alternative means to safeguard transatlantic transfers.

One alternative, standard contractual clauses (“SCCs”) were upheld under the CJEU. These provisions, composed by the European Commission, identify the responsibilities concerning data transfers and allow EU regulators to intervene in individual instances where inadequate protections of European data are suspected. In other words, because EU regulators can invalidate transfers on a case-by-case basis if a company is violating the clauses’ terms, SCCs are a reasonable method to safeguard transatlantic transfers. Major technology companies, such as Facebook and Microsoft, already use SCCs for transatlantic data transfer.

For companies that are already parties to Privacy Shield agreements, the following are some recommendations as they navigate this apparent time of transition:

  1. Focus on all agreements. Although the U.S. government will continue to recognize Privacy Shield, EU business partners will not. Companies should consider renegotiating data processing agreements with EU business partners to incorporate SCCs as a reasonable safeguard for data transfers.
  2. Keep your promises. Although Privacy Shield is no longer validated by the CJEU, a company’s certification of Privacy Shield compliance constitutes a representation to consumers that, if violated, could constitute a deceptive or unfair trade practice. Therefore, companies should continue to be mindful of their Privacy Shield obligations until the certification term expires. Likewise, as always and especially in line with CCPA enforcement which is now underway, your posted privacy policies should be reviewed to ensure representations remain complete, accurate and truthful.
  3. Stay tuned. As you might imagine, regulators all over the EU are evaluating this decision to determine what changes to implement and how to enforce them. Likewise, we can expect some guidance from the U.S. Department of Commerce as well.

Although U.S. companies not already relying upon SCCs can expect calls for negotiation from EU business partners, we should also expect continued calls from Silicon Valley and other tech giants for changes to U.S. federal privacy and surveillance law. While such changes are likely years away, the invalidation of Privacy Shield will only service to amplify the current movements for more regulation. Of course, we will continue to update you here on Taft Privacy and Data Security Insights.  Ever forward.