The gap between American and European data privacy laws has widened in recent years with the passing of the GDPR in the European Union. To date, the United States still does not have a comprehensive data privacy legislation like GDPR. Rather, it is currently up to individual states to pass their own data privacy regulations, like CCPA in the case of California. To bridge this gap, the U.S. Department of Commerce joined forces with European regulators to make data transfer possible between two of the world’s largest economies in an agreement known as the EU-U.S. Privacy Shield.
Recently, a ruling by the EU’s Court of Justice in the Schrems II case rendered this Data Privacy Shield program invalid. The invalidation of the Privacy Shield has implications for the 5,000 multinational businesses that relied on the Shield to conduct trans-Atlantic trade. So what does that mean for those companies?
The Privacy Shield Frameworks were approved by the European Commission in July of 2016 to ensure that data transfers from the EU to the U.S. would uphold the same data privacy standards protected under the GDPR. The framework established rules for the cross-border transfer of personal data from the EU to the United States, to essentially extend GDPR data privacy protections to that data. Businesses could self-certify to the Department of Commerce, promising to abide by those rules.
Once approved, European businesses (or European branches of the same company) could transfer information regarding EU citizens to the United States legally. You might notice that we’re using the past tense here, and that is because this program was invalidated by the Court in the July 2020 case Schrems II. More about that later.
In addition to the EU-U.S. framework, a parallel framework was developed with Switzerland and approved a year later. Because Switzerland is not part of the European Union, a separate protocol was needed.
Switzerland generally abides by EU rules, so the EU’s ruling on the U.S. arrangement may have an impact on the Swiss-U.S. agreement. This framework is still active but is under review by the Swiss government.
The privacy initiatives responded to the aforementioned gap in data privacy legislation between the EU and U.S. governments. As the EU continued to pass more stringent rules regarding how consumer data could be handled, multinational companies that straddled the U.S. and EU borders found themselves in limbo.
On one side, data legislation was practically non-existent, while the other would become the gold standard for data privacy. To better understand this gap, let’s look at the fundamental differences between the two regions’ data privacy laws.
The European Union drafted and approved the GDPR in 2016. It came with a two-year transitional period to achieve compliance before coming into full effect. The GDPR extends several rights to EU citizens and residents, including the right to know what personal data a company has and the right to request that it be deleted. Europeans can also ask companies not to sell their information to other companies.
This stands in stark contrast to the United States, which has no comprehensive nation-wide federal legislation regarding data privacy, with the exception of HIPAA. HIPAA, however, only protects medical records and does not afford consumers any protections in other industries. In recent years, individual states have proposed or passed data privacy laws, such as California’s CCPA (California Consumer Privacy Act), but without a country-wide mandate, the EU Court of Justice can’t say that the U.S. laws uphold the same level of protection as the EU laws.
Development on the Privacy Shield framework began shortly after the GDPR’s passage to prepare U.S. companies to receive European data in a way that respects Chapter V of the GDPR. Article 45 specifies that data transfers to third countries may only take place when the EU decides that the third country offers an adequate level of protection. Essentially, the third country must agree to respect GDPR rules if they are to receive European data.
So, if the shield was in place to protect European consumers’ data in the United States, why did it get rejected in the recent court ruling? The problem goes back to a 2013 complaint to Irish authorities about Facebook transferring data from Ireland to the U.S.
Facebook routinely moves data around the world for processing and storage purposes. An Austrian activist named Maximilian Schrems argued that the U.S. did not adequately protect his data. The original challenge centered around U.S. use of surveillance exposed by Edward Snowden.
In 2015, the EU Court of Justice initially ruled against Schrems, holding that the U.S. did, in fact, offer adequate protection. The development of the Shield frameworks seemed to validate that argument. The U.S. was committed to protecting data from abroad when required to do so. However, the Court overturned that ruling in a second case known as Schrems II. There were two key points that the Court used to justify this ruling.
The first is that the U.S. surveillance programs are not limited to what is strictly necessary and proportional and therefore do not meet the requirements of Article 52 of the E.U. Charter on Fundamental Rights. Essentially, this means that U.S. surveillance programs are too broad to qualify as adequate protection.
Second, the Court found that the U.S. does not grant EU residents actionable rights before the courts against the U.S. authorities as required by Article 47 of the EU Charter, because EU residents do not have adequate recourse if they disagree with how the U.S. has handled their data. The Court of Justice, therefore, reversed the first ruling and thereby put an end to the Privacy Shield.
While the Court invalidated the EU-U.S. Privacy Shield, it upheld SCCs (Standard Contractual Clauses) in general. However, SCCs are not sufficient in and of themselves, and companies must verify whether the law in each recipient country meets the requirements for personal transfer of data under EU law. If that country’s laws are inadequate (as they were found to be in the U.S.), the companies must provide additional protection or refrain from data transfers.
Now it’s not clear whether data transfers to the U.S. (and other countries with adequacy rulings against them) can be salvaged by increasing the level of protection, perhaps through encryption or other safeguards.
In addition, it’s worth noting that the U.S. has not closed its Shield frameworks and encourages companies to continue to re-certify or sign up. This improves the U.S.’s ability to negotiate a new deal with the European Commission, as it shows a corporation’s willingness to work within a valid mechanism.
So what does all this mean for you and your business?
The 5,000 companies that relied on the EU-U.S. Privacy Shield framework will need to immediately identify alternative data transfer mechanisms if they want to continue to transfer personal data to the U.S.
Those companies may be able to rely on derogations provided in the GDPR for certain transfers (such as when the transfer is necessary to perform a contract). SCCs (with additional safeguards as mentioned above) or Binding Corporate Rules may also qualify, but it is important to check with corporate counsel and follow legislative and judicial updates for new guidance.
To learn more about these alternative data transfer mechanisms, tune in to our webcast with Debbie Reynolds, the Data Diva, on October 27th with the IAPP.
Aparavi is committed to making data privacy compliance easy. We are constantly updating our platform to help you manage your data according to the rules. Contact Aparavi to find out how we can keep you compliant and assist with any adjustments that these new developments may require.