CJEU overturns Privacy Shield agreement: what you need to know

The Court of Justice of the European Union (CJEU) has overturned the Privacy Shield agreement. In this article, we explore the implications this might have for your company and what you now have to put on your to-do list.

The Court of Justice of the European Union has invalidated the Privacy Shield agreement.
Image: © mik ivan / Adobe Stock

The background on the Privacy Shield and CJEU ruling

After the Safe Harbor agreement, the Privacy Shield is now the second data transfer contract between the United States and the EU to have been reversed by the Court of Justice of the European Union. And not without reason – after all, the transatlantic agreement was controversial right from the start. The new CJEU ruling was the result of a legal dispute between data protection activist Maximilian Schrems and Facebook. Schrems had filed a suit against the transmission of personal data from Facebook to the USA via Ireland.

The case was based on the weak data protection laws in force in the United States in comparison to the EU’s General Data Protection Regulation (GDPR). It was escalated to the Supreme Court, the highest judicial body in Ireland, and was ultimately passed on to the Court of Justice of the European Union. By then, the case was no longer just about Facebook, but generally about the transfer of personal data to third countries, including the USA. The ruling: Directive 95/46/EC of the European Parliament and of the Council, which granted the Privacy Shield its status of being adequate (“adequacy decision”), was declared invalid.

The Privacy Shield agreement: data protection even outside the EU

Anyone who wants to process the personal data of EU citizens need the explicit consent of the individual concerned or must be able to refer to a legal regulation that does not require consent. However, that only applies to data processing within European borders. If information is transmitted to natural persons in third countries, such as the United States, that is not sufficient.

In this case, the GDPR requires a supplementary legal regulation that justifies the transfer and processing. With regard to the USA, this is where the Privacy Shield agreement came in – until now. Within the Privacy Shield framework, over 5,000 American companies had self-certified that they agree to comply with European data protection laws. These companies, including Google, Facebook, and Twitter, among others, were then deemed “safe”, creating the supplementary legal basis for data to be transmitted.

European data protection and the Privacy Shield

There are several reasons why the Court of Justice of the European Union reversed the validity of the Privacy Shield agreement. It was criticized that access to personal data from the EU on the basis of U.S. legislation does not correspond to the principle of proportionality according to European law. For example, American companies are under an obligation to transmit the personal data of EU citizens to authorities such as the NSA or FBI. It was also argued that the options for legal recourse available to EU citizens in the event that their privacy rights are violated in the USA are not sufficient.

What applies now for companies?

The ruling has far-reaching consequences for American and European companies alike. Once again, there is a lack of a supplementary legal basis that permits EU data to be processed in the United States for business purposes. It will likely be a long time before Europe and the USA agree upon a new regulation. Until then, European companies have to take action and review any type of transfer of personal data to the USA. In many cases, their privacy policy will also need to be revised.

What is the current legal situation?

The end of the Privacy Shield does not mean an end to the use of American services. After all, the transmission of data to the USA is part of the day-to-day business of most companies – and the European Commission knows this. For this reason, there are a couple of exceptions where data transfer may still be permitted without the Privacy Shield.

  • The current legal options include internal data protection provisions (binding corporate rules) through which American companies agree to comply with the European General Data Protection Regulation. They provide a particularly sound legal basis if they are approved by the European data protection authorities. However, this will only happen once the criticisms of the new CJEU ruling in terms of the legal recourse rights of EU citizens and the access rights of U.S. authorities have been resolved. In this regard, a lawyer specialized in data protection should check on a case-by-case basis whether this has already occurred.
  • The same applies to what are referred to as “standard contractual clauses”. These are contract templates pre-formulated by the EU commission that American companies can use to self-commit to the European GDPR. Many companies have even already incorporated these into their contracts.
  • Furthermore, Article 49 of the GDPR allows the processing of personal data in third countries under certain conditions. However, the clause is only applicable to a limited extent to the protection of personal data in marketing and of employees. The applicability of the article should therefore be thoroughly checked in each individual case.

The basic rule is: any type of transmission of personal data to the USA necessitates a careful analysis. It is therefore advisable to temporarily stop transferring data to the United States and consult an expert in data protection law.