The European Court of Justice’s recent move to strike down the US-EU privacy shield agreement has upended the bilateral personal data transfer framework and pulled the rug out from under numerous American businesses who work with European customers’ personal data. But although the agreement was invalidated, there remain several steps to take and options to pursue that can enable US businesses to help maintain their operations.
The 2016 bilateral US-EU Privacy Shield agreement allowed US companies to agree that they would adhere to the privacy and personal data rules and standards of the EU, thereby providing an equivalent level of protection to EU citizens and facilitating personal data transfers between the two. However, the European Court of Justice has now rejected that principle. In its decision(1), the court explained that the Privacy Shield agreement failed to provide adequate protection because it could not stop US intelligence services from accessing the personal data even for companies who were Privacy Shield compliant. Furthermore, it was quite difficult for an EU citizen to file a complaint about a potential violation.
Although the decision did strike down the legal validity of the Privacy Shield agreement, one key observation is that the decision notably did not eliminate privacy standard contractual clauses (SCCs). These are cookie-cutter contractual clauses drafted and pre-approved by European regulators for use in privacy-related service agreements with customers. The court allowed SCCs to remain a valid tool in principle because courts have the authority to potentially strike them down and invalidate them on a case-by-case basis if they determine that they are problematic. With the elimination of the Privacy Shield, SCCs will likely be the primary legal tool that US companies rely upon to achieve compliance with EU GDPR and the transfer of EU citizens’ data overseas, and this is an option many companies will want to pursue.
Binding corporate rules (BCRs) are another arrow in the quiver that remains legally viable. While SCCs provide coverage for transfers to third parties, BCRs provide a legal framework for organizations to transfer data internally among affiliate organizations. BCRs are tailored to the operations of each company, who must apply to have each BCR approved by a local supervisory DPA. Although the process is usually expensive and can take a considerable time to achieve approval, the advantage to BCRs is that once in place they can cover a wide variety of transfer activities, whereas separate SCCs are needed for each individual data transfer. New BCR applications will likely need to address in detail how US affiliates will maintain privacy in the context of government surveillance activities. Companies that have the necessary time and resources may find pursuing a BCR to be a comprehensive alternative for achieving data transfer adequacy.
Furthermore, even though the legal effect of the privacy shield agreement in the EU has passed, the Privacy Shield hasn’t completely bitten the dust. The Privacy Shield List of self-certifying companies remains intact, and the companies who have self-certified compliance with its standards should not presume to immediately halt compliance with it. Even without the force of law, following the Privacy Shield standards on a voluntary basis does demonstrate a level of commitment to privacy that would in any case be appreciated by customers and business partners. In addition, businesses who have made commitments that they will abide by Privacy Shield may remain legally bound to continue implementing the standards despite the EU invalidation. US companies are probably well-served by continuing to adhere to the Privacy Shield standards as a matter of good business practice.
Finally, companies can take comfort in the fact that any personal data transfers that are necessary to fulfill a contract with the customer continue to be permissible. If an essential component of the product or service you’re offering to an EU person requires the sending or receiving of their personal data, this remains allowed post-Privacy Shield. The court’s decision does not destroy the ability of companies to continue providing core services and fulfilling their obligations to their EU customers just because the Privacy Shield is no longer valid, so companies probably will not need to worry that their core lines of business could be eliminated by this ruling.
While each of these facts does serve to blunt the impact of the court’s decision, US companies are still likely to face ongoing challenges when dealing with EU citizens’ personal data for the foreseeable future. This situation will persist unless and until an updated agreement can be reached between the EU and US which fully accounts for and remediates the deficiencies that the court identified within the old Privacy Shield agreement.