European Court Drops 'Privacy Shield' Over US SurveillanceData-Sharing Agreement Invalidated; Activists Say US Surveillance Reform Needed
Europe's highest court has invalidated the Privacy Shield, an EU-U.S. data-sharing agreement, on the grounds that it offers insufficient privacy safeguards for Europeans.
At issue are U.S. surveillance practices, which the European Court of Justice's Thursday ruling says involve collecting personal information in a manner "not limited to what is strictly necessary," thus violating Europeans' privacy rights.
Launched in 2016, the EU-U.S. Umbrella Agreement on Data Protection - aka the Privacy Shield - was a voluntary, self-certification agreement issued by the European Commission after a previous arrangement, called Safe Harbor, was struck down by the court in an October 2015 ruling.
Both the 2015 ruling and this week's ruling resulted from cases filed by Austrian privacy campaigner Max Schrems, who heads the non-profit organization nyob, short for "none of your business." The rulings have hinged in part on documents leaked by former U.S. National Security Agency contractor Edward Snowden, which suggested that Europeans' private information was being shared with and amassed by U.S. intelligence agencies, thus violating Europeans' right to privacy.
"The court clarified for a second time now that there is a clash between EU privacy law and U.S. surveillance law," Schrems says. "As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the U.S. to introduce solid privacy rights for all people - including foreigners. Surveillance reform thereby becomes crucial for the business interests of Silicon Valley."
Schrems notes that "necessary" data transfers can still be conducted under article 49 of the EU's General Data Protection Regulation. In addition, any European may still voluntarily consent to their data being transferred to the U.S.
What Schrems and others have been protesting is the transfer of their personal data to the U.S., for example, when they use a social network such as Facebook, because they're concerned about American surveillance practices.
European privacy law requires that wherever Europeans' personal data flows, it must be protected in a manner that complies with EU privacy legislation, which now includes GDPR.
"This should be a wake-up call to both the U.S. Congress and the U.S. intelligence community that stronger privacy protections must be built into intelligence surveillance authorities," says Alexandra Givens, president and CEO of the Center for Democracy & Technology. "People outside the U.S. have rights that U.S. surveillance law and practice must honor. Surveillance reform has long been a human rights imperative; now, it is an economic imperative as well."
But some legal experts say that it's unlikely that the Trump administration would rethink U.S. privacy laws and protections for Europeans in an election year.
Standard Contractual Clauses: Still Valid
The court's judgement on the latest case, known as "Facebook Ireland and Schrems," or Schrems II, was preceded in December 2019 by the advocate general to the Court of Justice of the European Union, Henrik Saugmandsgaard Oe, submitting a non-binding opinion on the case. He wrote that standard contractual clauses, or SCCs, were valid for the transfer of personal data to processors in other countries, provided those countries uphold Europeans' privacy rights. But he did not address Privacy Shield, saying it wasn't applicable to the case.
On Thursday, the court largely agreed with Oe's assessment that SCCs are valid, provided that EU data processors ensure that a company that signs an SCC as well as the country where it's located act in a manner that upholds Europeans' privacy rights. But it also ruled that Privacy Shield does not meet that test, and thus is not valid.
As of Thursday, 5,378 organizations were registered as being part of Privacy Shield.
Due Diligence: Now Required
Companies can continue to use SCCs for data transfers, legal experts say, but now there are some caveats, including European organizations needing to ensure that U.S. organizations are actually doing what they claim.
"SCCs are a set of essentially unchangeable clauses that lay out certain privacy commitments which organizations must abide by in order to be able to transfer data, which the European Commission has pre-approved," say Cordery attorneys Jonathan Armstrong and André Bywater in a client advisory.
In light of the Thursday ruling, "the upshot of this is it is not enough to simply have SCCs in place but that due diligence also has to be undertaken, and possibly additional protections added," they say. "That due diligence will need to be done not only on the other party to the agreement but also on the legal regime in the country where it is based."
In other words, not just the company but also its country must be subjected to a test for data privacy protections.
Some European data protection authorities, including Hamburg DPA Johannes Caspar in Germany, have already signaled that they will launch investigations into organizations that now use SCCs.
UK: Brexit Impact
The Thursday ruling could also have a big impact on the U.K., once it concludes its Brexit transition period for leaving the EU, which is scheduled to happen by the end of this year.
"While this case is clearly significant for SCCs and Facebook's operations, there is a larger picture that involves the court's stance against mass (or undifferentiated) surveillance," Lorna Woods, a professor of internet law at the University of Essex, says in a blog post.
"The U.K., like the U.S., has a system for mass surveillance, and once we come to the end of the year, data controllers in the EU will need to think of the mechanisms to allow personal data to flow to the U.K.," she adds. "The approach of the court to mass surveillance in Schrems II is therefore an indicator of the approach to a similar question in relation to the U.K. in 2021."
Unless Britain gets its approach right, it may find European privacy watchdogs blocking all U.K.-EU data transfers. "Post-Brexit, unless the U.K. receives an adequacy decision, SCC transfers to the U.K. may be investigated/stopped by any EU regulator if they feel U.K. law does not provide adequate protection in case of access by authorities," says Andrew Cormack, chief regulatory advisor at Jisc, a U.K. non-profit organization that supports educational institutions. "Such decisions must be taken by individual regulators, but may be discussed by the European Data Protection Board," which includes representatives from each EU member state's data protection authority.
What Organizations Must Do Now
What should organizations that have relied on Privacy Shield or SCCs do now?
"In terms of practical steps, the first one's going to have to be, if you're one of the ... companies that's in Privacy Shield, think of a Plan B," says Cordery's Armstrong. For starters, any organization with privacy policies that refer to Privacy Shield must now update them.
"But also, if you deal with any organization that is in Privacy Shield - so maybe they provide a global HR platform for you, a global sales platform, a helpline, travel management, whatever that might be - if you do business with them and they're relying on Privacy Shield, you're going to have to look at alternatives there, and standard contractual clauses could be the alternative in the short term," he says. "You might want to look at binding corporate rules as a medium- to long-term solution. And you're certainly going to have to do avid due diligence."
Doing something, immediately, is better than nothing. "Even if this is a work in progress, it might be something that they can show a DPA [data protection authority] if they come knocking," he says.