Posted by Craig Carpenter
On July 16, 2020, Europe’s top court invalidated the EU-US Privacy Shield program, finding that it did not provide an “essential equivalence” with European data privacy laws (GDPR).
The EU-US Privacy Shield program was a popular way for U.S. companies to comply with the restrictions on cross-border data transfers set forth in GDPR (Article 44). Since the U.S. does not have an adequacy decision under European privacy laws, the Privacy Shield Program was the most efficient way for many U.S.-based companies to lawfully move data to the U.S. from Europe under GDPR.
This decision largely centered on European concerns for U.S. surveillance programs and the ability for private data to end up with public authorities. The Court found that “the requirements of US national security, public interest and law enforcement have primacy [over individual data rights], thus condoning interference with the fundamental rights of persons whose data are transferred to that third country.”[1]
The Court also called in to question the efficacy of the “standard data protection clauses” as a means of cross-border data transfer, particularly in countries like the Unites States where public authorities have significant data access. The court stopped short of invalidating the standard clauses as a lawful means of transfer altogether, but the court emphasized the need to consider the practices of the countries in which the standard clauses are used, seemingly inferring that they might not be appropriate in places like the United States.
We do not yet know the U.S. response to this decision; however, without Privacy Shield, U.S. companies will have to rely on a different means of lawful data transfer. Examples include Standard Contractual Clauses discussed in Article 46 (subject to the comments above), Binding Corporate Rules (Articles 46 and 47), explicit consent (Article 49), necessity for performance of a contract (Article 49), exercise or defense of legal claims (Article 49), or the other “derogations for specific situations” identified in Article 49 of GDPR.
[1] CJEU Press Release, available at https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091en.pdf (July 16, 2020).
Comments