The European Court of Justice struck down Privacy Shield, an agreement between the United States and the European Union on how U.S. companies handle personal data for European users, because the privacy protections for European users under the framework were “inadequate.
The decision comes as part of the ruling for Facebook v Schrems, the case in which privacy activist Max Schrems complained to the Irish Data Protection Commissioner that Facebook was transferring his (and other European users’) data to data centers in the U.S. The problem was that under US law, the Clarifying Lawful Overseas Use of Data Act of 2018 (CLOUD Act), a US court can demand a US company hand over personal data for an individual, which meant the company wouldn’t be able to provide users with the privacy controls mandated under Europe’s General Data Protection Regulation.
“Regarding the level of protection required in respect of such a transfer, the Court holds that the requirements laid down for such purposes by the GDPR (General Data Protection Regulation) concerning appropriate safeguards, enforceable rights and effective legal remedies must be interpreted as meaning that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses must be afforded a level of protection essentially equivalent to that guaranteed within the EU by the GDPR,” the European Court of Justice said in its ruling.
The EU and US negotiated the EU-US Umbrella Agreement on Data Protection, or Privacy Shield, after the EU court struck down Safe Harbor in October 2015 for being insufficient to protect EU citizens’ privacy rights. Privacy Shield allows US companies to transfer EU user data outside the EU and not have to set up data centers in Europe specifically to handle EU data. The court said with this ruling that companies cannot provide users with lesser privacy rights by moving European users’ data to data centers outside of Europe.
The combination of section 702 of the US Foreign Intelligence Surveillance Act and US policies showed that the US government had authority to harvest EU citizens’ data from US companies, in a manner “not limited to what is strictly necessary,” the court said. The broad surveillance powers do not meet EU data protection requirements.
Privacy Shield "does not grant data subjects actionable rights before the courts against the US authorities," the Court of Justice said in its decision. There is no provision in this framework for EU citizens to challenge the US company for mishandling their data stored on US servers.
“The implications of this decision are potentially monumental, and has sent the privacy community scrambling,” said Heather Federman, vice-president of privacy and policy at BigID.
Under the Privacy Shield framework, companies could define privacy using Standard Contractual Clauses—but the new ruling indicates that SCCs have to, at the bare minimum, protect user data in the manner required by the General Data Protection Regulation and other privacy laws. In short, the privacy protection is tied to the information, not the location where the information is stored, processed, or transferred. Companies have to comply with GDPR even if the data of the European users are in US servers, or potentially face high fines.
“Standard contractual clauses remain a valid tool for the transfer of personal data to processors established in third countries,” said Vera Jourová, vice-president of the European Commission. EU data processors will make sure that companies that have signed SCCs are complying with GDPR.
This doesn’t mean that companies that work with European users have to immediately stop transferring data to their non-EU data centers. Companies that reference Privacy Shield in their privacy policies now have to update their terms. Organizations currently taking part in Privacy Shield—there are 5,378 US organizations and 250 European organizations registered—have to figure out if they have valid SCCs in place. A company may not be registered with Privacy Shield but partner with another company who does—such as the human resources provider or sales platform, for example—will have to look at their contracts to make sure their user data is protected appropriately.
“In the short term, the best thing companies can do for themselves--aside from speaking to their legal counsel--is make sure they have a clear understanding of whose data they have, what is their residency, where it is stored, where that data center is located, and maps of where data is flowing,” Federman said.
Approximately 88 percent of companies transferring data out of the EU rely on SCCs, while 60 percent use Privacy Shield, according to International Association of Privacy Professionals (IAPP) research.
The long term implications are unclear, but Federman worried about the “Balkanization of the Internet,” or a drive towards the localization of services, offerings, and data storage within specific regions. The immediate effect of the decision is that multinational companies will launch EU-based subsidiaries or tech companies will keep all European user data in European data centers.
“Ten years from now, that may mean we have a version of the Internet in the US that is different from what you see in Europe, China, or Russia,” Federman said.
Privacy activists hope the ruling will shake up US surveillance laws. "This should be a wake-up call to both the U.S. Congress and the U.S. intelligence community that stronger privacy protections must be built into intelligence surveillance authorities," said Alexandra Givens, president and CEO of the Center for Democracy & Technology. "People outside the U.S. have rights that U.S. surveillance law and practice must honor. Surveillance reform has long been a human rights imperative; now, it is an economic imperative as well."