Privacy Shield

From 2016 to 2020, the EU-US Privacy Shield regulated the transfer of personal data from the EU to the US. But in July 2020, the data transfer agreement was declared invalid by the European Court of Justice (Schrems II ruling), as it could not guarantee a level of data protection in line with the General Data Protection Regulation (GDPR), and prioritized US national security requirements. At least until new regulations take effect, US companies will be held more accountable and – if they want to avoid sanctions – must now be more actively involved than ever in the discourse on data protection.

Although the Privacy Shield has been invalidated, EU companies can still export personal data to the US. The European Commission decided that the EU standard contract clauses (SCC) – another commonly used instrument for data transfers – still makes it possible for data to be transferred internationally. But instead of just bringing data over from the European Union, US companies certified under the Privacy Shield will now have to negotiate that transfer via SCCs.

Following the Schrems II judgment, the use of standard contractual clauses is subject to stricter rules and conditions: EU companies must take additional measures and, in principle, carry out a case-by-case assessment of each data transfer. However, because the EU courts have deemed US data protection to be limited, EU data is considered unsafe to be transferred over to the United States.

Furthermore, standard contractual clauses are subject to review by European supervisory and data protection authorities. So if the legal situation in a third country prevents a data recipient from complying with the obligations under the standard contractual clauses, data transfers may be suspended or even prohibited. In other words, the whole process must be taken into account when examining the level of data protection. Throughout, it must, therefore, be guaranteed that national security and investigative authorities in the recipient country have no access to personal data.

In the current situation, case-by-case assessment is particularly difficult for small and medium-sized enterprises, as they don’t normally have the know-how and the means to verify whether there’s an adequate level of data protection in a third country. Moreover, the ECJ’s ruling doesn’t specify exactly what concrete standards are to be applied to individual case assessments or to possible extensions of standard contractual clauses.

Nevertheless, SMEs should actively get to grips with the topic. Legal experts advise small and medium-sized enterprises to take the highest precautions and to create solid documentation on their own data protection efforts. In doing so, companies will be better prepared for a possible legal dispute and will be better able to defend their actions in court once the Privacy Shield ends.

So, with a restricted data flow, how should US businesses who collect data on EU citizens move forward from and what measures should they take to make sure they’re complying with all the formal aspects of standard data protection clauses? First and foremost, companies previously certified under the Privacy Shield should examine all data flows, contracts, and relationships that involve the transfer of personal data from the EU to the US. Since the legal situation in the US will now be more closely analyzed by EU companies and the probability of inappropriate data access more carefully assessed, it’s important that you review all agreements and determine whether you want to continue receiving that data. Once you’ve done that, you need to determine how the SCCs can be implemented to maintain that data flow. While some partners will be more willing to accept this new agreement to keep the business running as usual, others will certainly see it as a chance to renegotiate agreements in their favor.

In the process, it should be clarified whether your business will assume special contractual obligations in view of the current situation (e.g. increased monitoring and notification obligations). In the current situation, EU companies could also call on American business partners and service providers to use all available technical means to optimize data protection, for example the use of end-to-end encryption in video conferencing software.

EU companies who can do without data transfers, cloud services, and servers in third countries outside the EU will look for GDPR-compliant alternatives in Europe. In addition, developments in data protection law should be closely followed. In an FAQ document on the ECJ’s Privacy Shield judgment, European Data Protection Supervisor (EDSA) provides information on the current status to interested and affected parties.

The Privacy Shield was officially introduced in mid-2016 as the successor to the EU-US Safe Harbor Privacy Principles. The aim of the agreement was to protect the data of European citizens that is stored and processed by companies based in the US after being transferred to the US. This exclusively concerned personal data, which, for example, is collected to a large extent in e-commerce. Personal data includes telephone numbers, customer IDs, credit card or identification numbers, account data, the appearance of a person, or the address of EU citizens in combination with other individual data.

The validity of the Safe Harbor successor ended in July 2020 by a ruling of the European Court of Justice (ECJ). In the so-called Schrems-II ruling of 16.07.2020 the ECJ assumes that the security level required in the General Data Protection Regulation (GDPR) won’t be achieved when storing and processing personal data in the US.

In doing so, the ECJ also annulled the adequacy finding of the European Commission, which repeatedly confirmed that the US had a sufficient level of data protection. The ECJ ruling was triggered by a lawsuit filed by Austrian data protection expert Maximilian Schrems, who had previously initiated the end of the Safe Harbor Agreement with a lawsuit. In this lawsuit, Schrems wanted to prohibit Facebook Ireland from transferring his personal data to the United States, filing a complaint with the Irish data protection authority. When the Irish High Court did not initiate proceedings, Schrems sued them. In the second instance, the Irish data protection authority referred the matter to the ECJ for legal review, which ultimately overturned the EU-US Privacy Shield.

The Safe Harbor successor was based on special data protection measures and standards that had to be met by the US. An important element was that US companies could certify themselves with the Privacy Shield. After a US company voluntarily submitted to the terms of the agreement, a review by the US Department of Commerce took place. Once a company had successfully completed the process, it was included in a publicly accessible database. The list included a total of 5,384 organizations at the end of the agreement’s validity.

The EU-US Privacy Shield guaranteed EU citizens comprehensive rights when personal data was transferred to certified companies in the US – and EU citizens could contact the companies directly to claim these rights. These companies had to respond to the citizens’ concerns within 45 days. The rights guaranteed in the Privacy Shield included:

• Right to information and disclosure
• Right of objection (an objection could be made against a data processing if necessary)
• Right to rectify inaccurate data
• Right to deletion of data
• Complaints/redress procedures were available

To enforce and protect their rights, EU citizens could also turn to an ombudsman within the US Department of State. The ombudsman should be independent of all intelligence services, investigate the concerns of private individuals, and provide information on whether applicable law is being observed in specific cases. However, the office was not filled until 2018 at the insistence of the EU. Manisha Singh initially served as ombudsperson, followed by Keith Krach in June 2019.

Alternatively, EU citizens could turn to their national data protection authorities, which could then contact the US Federal Trade Commission (FTC) directly for further clarification. If no other form of agreement could be found, then arbitration proceedings with an enforceable arbitral award acted as the final frontier. Additionally, all companies were able to act in accordance with the recommendations of European data protection authorities. Those companies that process personal data are obliged to do so anyway.

A prerequisite for the validity of the Privacy Shield was the adequacy decision by the EU Commission, which certified that the United States has adequate data protection standards for the storage and processing of personal data from the EU. The adequacy decision of 2016 was reviewed annually and renewed if the required level of data protection was met. The EU Commission and the US Department of Commerce conducted the review jointly with the involvement of experts. The procedure resulted in a publicly available report that was submitted to the European Parliament and the Council.

Despite these extensive data protection measures, mass surveillance was not completely ruled out. In six areas, which on closer inspection leave a certain scope for interpretation, the US was able to collect data on and for:

• Counterterrorism
• Revealing activities of foreign powers
• Combating the proliferation of weapons of mass destruction
• Cybersecurity
• Protection of US and allied forces
• Combating transnational criminal threats

For EU citizens, the extensive rights to complain in the event of concrete breaches of data protection by US companies were among the benefits of the Privacy Shield agreement. An important component was also the purpose limitation principle: Data could only be logged and processed for a purpose that was clearly defined in advance and legally permissible. For US-based organizations, the stamp of approval of providing “adequate” privacy protection was key for the transfer of data outside of the EU, as well as that Member State requirements were waived for participating companies.

However, the EU-US Privacy Shield was met with opposition from the get-go. Critics argued that the agreement was not far-reaching enough. There were complaints that the requirements of the European Court of Justice were not sufficiently met and that many discrepancies were only cosmetically concealed. Since the post of ombudsman was assigned to the Ministry of Foreign Affairs, critics felt that the agreement lacked institutional independence and that it conflicted with the General Data Protection Regulation (Article 52 (1) GDPR). They also criticized the fact that affected EU citizens could not take legal action against decisions of the ombudsman’s office.

Another main point of criticism was that the mass surveillance measures were not subject to a proportionality test and in doing so violated European law. The US was still the central controlling power and there was no evidence of an investigation by national supervisory authorities. The critics also missed the urgently needed control of large US online companies.

Due to these shortcomings, critics and experts already at that time assumed that the agreement would not stand up to the review by the European Court of Justice, and therefore did not represent a long-term, legally sound solution. The conspicuously small differences to Safe Harbor were repeatedly denounced. Many critics assumed that various data protection loopholes were de facto not closed by the Privacy Shield.

Click here for important legal disclaimers.