The Court of Justice of the European Union (CJEU) ruled the EU-US Privacy Shield Decision as invalid. While Privacy Shield can no longer be used as a framework to transfer data to/from the EU, it still provides a solid set of standards to ensure data protection of US data subjects.
This decision was issued on July 16th, 2020 and it came as a result of the case, Max Schrems v Facebook Ireland Limited. The case currently runs in the Irish legal system but was referred to the CJEU by the Irish courts for a preliminary ruling. This procedure is used in situations where the interpretation of an EU law is in question, in this case, GDPR. In order to keep consistency of applicability of EU laws across all EU member states, this is an integral part of the European legal framework. In fact, Irish courts (and all other countries) will now have to adopt these findings when deciding on cases with a similar subject matter.
This decision will not come as a surprise for those that have been through the invalidation of Privacy Shield’s predecessor, the Safe Harbour Framework. The issues presented there were not remediated by the then new framework, Privacy Shield. The main point of concern was, and still is, the mass surveillance programs carried out by US agencies on non-American data subjects. It is important to note that, under GDPR, countries are allowed to monitor communications, as long as fundamental rights safeguards and remedies are available and that any monitoring only occurs under clear, specific and comprehensive intelligence laws. The court does not understand this to be the case for the US.
A grace period was expected but not guaranteed. When the Safe Harbour Framework (Privacy Shield’s predecessor) was invalidated, it took only 10 days for the EU to announce a grace period of 4 months for businesses to prepare themselves. It took another 9 months for Privacy Shield to come into existence.
So far, we have not heard anything from the EU, and as time passes, it is becoming unlikely that a grace period will be on the table, contrary to what most experts were thinking.
The authorities are aware of the disruption and are looking to find a solution to the issue. The US Commerce Department and the European Commission have already initiated discussions to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework. Any material outcome, however, may take several months if not years. As such, businesses should start preparations to ensure their transfer of personal data is as compliant as possible during this transition period (if we are indeed going to have a new framework). If your business is a company in the US listed on Privacy Shield, it is recommended that you stay put, but, that you do not rely on the Privacy Shield for any international transfers to/from the EU.
The first step for any organization, is to identify all data transferred under Privacy Shield and look to transition to a different mechanism to export/import data with the EU, such as the Standard Contractual Clauses (SCCs). It is important to remember that in order to rely on any transfer under the SCCs, businesses must ensure that the standards to protect personal data are at a level that is ‘essentially equivalent’ to the protections afforded in the EU, including taking supplemental measures to overcome any shortfalls due to local laws.