European Court of Justice overturns EU-US Privacy Shield – What now?


In a landmark decision, the ECJ ruled today that the EU-US Privacy Shield is invalid. Therefore striking down one of the most important legal bases for data transfers between the EU and US, once again. The Courts stated that the Privacy Shield failed to protect the privacy of EU citizens and did not comply with data protection rules.

This decision will impact many companies yet again and force them to evaluate their data transfers into the US. Luckily, there are other ways to secure data transfers into the US in accordance with GDPR.

The history of data protection agreements between the USA and the EU

Although data protection was not a high priority in the early 2000s, the EU decided to protect the personal rights and thus the personal data of its citizens abroad. For this reason, the first transatlantic "Safe Harbor" data protection agreement between the EU and the USA was concluded as early as 2000. For 15 years, this agreement largely regulated data traffic between the two continents.

The agreement was criticized early on, as its effectiveness was doubted due to various security laws in the USA and its actual implementation. US companies wishing to rely on the Safe Harbor Agreement only had to officially declare that they would comply with the seven principles of the regulation.  In fact, there was no external certification or even testing. Nevertheless, "self-certified" companies were published on an official list and automatically attributed an adequate level of data protection.

In addition, various security laws, such as the Patriot Act, were enacted in the USA, which allowed state authorities to access personal data of affected persons without their knowledge or even consent. When further revelations came to light about the intrusive surveillance measures of the US government by whistleblowers such as Edward Snowden, the Safe Harbor Agreement came under increasing criticism.

Ultimately, it was the lawsuit filed by an Austrian data protectionist Maximilian Schrems against the Facebook Ireland corporation that led to the ECJ's Safe Harbor ruling in 2015, which finally declared the agreement invalid. At that time, the ECJ had argued that the agreement simply could not guarantee a sufficient level of protection (ECJ case no.: C-362/14).

Just as today, this decision led to an unclear legal situation regarding the transfer of personal data to the USA. Since the worldwide transfer of personal data has become the basis for many companies, above all large international groups such as Facebook, Google, Microsoft, Apple and Co. or even companies in the EU, an effective data transfer agreement has become crucial. Therefore, the EU-US Privacy Shield was quickly drafted just a few months later in July 2016.

The Privacy Shield was based in particular on assurances by the US government that it would no longer carry out unlawful data processing and an adequacy finding by the EU Commission, which thus certified that the US had an adequate level of security. The Privacy Shield was also criticized from the outset, as it still did not provide an adequate level of protection according to data protection experts.

It is therefore all the more astonishing that the agreement held up until the ECJ's Schrems-II ruling in 2020, despite the introduction of the General Data Protection Regulation (GDPR) in 2018 and the much stricter data protection principles that went with it, as well as various scandals concerning inadmissible surveillance measures by the US government.

In a non-binding opinion in December 2019, The ECJ Advocate General Henrik Saugmandsgaard Øe found that the standard contractual clauses (SCC), used for data transfers between EU and non-EU countries were ‘valid.’ Regarding the EU-US Privacy Shield, he concludes that there is no need to examine the validity of the 'privacy shield', because the dispute in question only concerns the Commission’s establishment of standard contractual clauses.

The ECJ has only partially followed his proposal. The Court declared the EU standard contractual clauses to be lawful - as proposed by the EU Advocate General. However, contrary to the proposal of the EU Advocate General, the ECJ also ruled on the legality of the privacy shield and declared it invalid.


Transfer of personal data after the ruling – EU standard contractual clauses?

Once again, many companies are now facing a legal challenge, but this time it is not surprising. For a long time, many data protectionists had been aware that the agreement would be overturned sooner rather than later. Even the EU Commission was already preparing for alternatives to the Privacy Shield weeks before the ECJ ruling was announced. However, in contrast to the Safe Harbor Decision in 2015, the now effective GDPR stipulates far higher fines if the regulation is not observed.  Fortunately, Article 46 (2) of the GDPR provides further legal bases for making data transfers to the USA legally secure.

These include, in particular, the before mentioned SCC, which were issued by the EU Commission and have been used by many companies for years. The SCC can (similar to data processing agreements) be concluded with service providers outside the EU and oblige them to maintain an adequate level of data protection. However, even though they were once again generally ruled suitable by the ECJ in the Schrems-II case, the SCC actually partially date back as far as 2001 and only apply to very specific constellations of data transfers. In addition, the ECJ even suggested, that EU commission does in fact have the duty to forbid a data transfer to another country in which the measures stipulated in the SCC cannot be fulfilled.

Especially in the case of more complex data streams, for example within an internationally operating group, SCC are usually not suitable. There are other possible legal bases available in the GDPR, such as "Binding Corporate Rules", however these must first be approved by the competent supervisory authority. Their use therefore also includes an extensive examination of a company's internal data protection processes. This is a time-consuming and cost-intensive measure, which usually only a few companies can afford. Another factor is that many supervisory authorities are overloaded and such an audit can therefore take years.

The GDPR also provides other possible legal bases in Article 46 (2) GDPR, but many of these are still not available, even though it has been two years since the introduction of the regulation.

The ECJ ruling on the EU-US Privacy Shield therefore puts pressure not only on companies, but also on supervisory authorities and the legislator and thus poses new challenges. It remains questionable which alternatives the EU Commission will create in order to continue to provide companies with a legally compliant option for data transmission to the USA. In an increasingly networked world, which is dependent on online solutions from large US corporations, especially due to the Covid-19 pandemic, international data transfer is and remains a must.

The data protection experts at CLARIUS.LEGAL will be happy to advise you on this. Please do not hesitate to contact us.