Will Privacy Shield Survive? CJEU to Decide on its Validity

The EU General Data Protection Regulation (GDPR) restricts the transfer of personal data to countries outside the EEA, including the U.S. The EU-U.S. Privacy Shield (the successor to the struck-down Safe Harbor regime) provides an exception to this where the U.S. data importer has signed up to the Privacy Shield framework. However, the validity of Privacy Shield is in jeopardy as data protection rights groups seek to have the regime invalidated on the basis that it breaches fundamental EU rights and does not provide adequate protection for personal data. The General Court of the EU is set to hear the complaint on July 1 and 2 this year.

What is Privacy Shield?

Under the GDPR, transfers of personal data may only be made to countries outside of the EEA in certain circumstances. One such set of circumstances is where a U.S. data importer has self-certified to the Privacy Shield standard because the European Commission has determined that the Privacy Shield framework provides an adequate level of protection in respect of personal data. At the time of writing, there were 4,798 signatories to the Privacy Shield. Compliance with Privacy Shield is primarily enforced by the U.S. Federal Trade Commission.Criticisms of Privacy ShieldPrivacy Shield has been subject to robust and continued criticism since its inception that it is too similar to its failed predecessor, Safe Harbor. Restrictions on data exporting are a longstanding feature of EU data protection law that predate the GDPR. Safe Harbor was a prior self-certification framework for U.S. entities that was declared invalid by the ECJ in 2015 due to concerns that it did not properly enforce compliance, investigate violations or identify companies falsely claiming to be members. Privacy Shield was adopted as a successor and was intended to have strengthened compliance mechanisms, including annual reviews and new certification procedures. These measures have failed to satisfy privacy campaigners.

On June 12, 2018 the European Parliament’s Civil Liberties Committee (LIBE) called for the European Commission to suspend Privacy Shield on the basis that it is not GDPR-compliant and does not adequately protect the personal data of EU citizens. LIBE’s concerns followed the Facebook/Cambridge Analytica data misuse scandal after it came to light that both companies had signed up to Privacy Shield. Pressure mounted as the European Parliament passed a nonbinding resolution directing the European Commission to suspend Privacy Shield unless the U.S. government could comply with its terms.

Ultimately, the concerns were considered during the second annual review of the Privacy Shield framework in October 2018 where the European Commission’s report concluded that (notwithstanding such concerns) the U.S. continued to ensure an adequate level of protection for personal data transferred under the Privacy Shield framework.

The Legal Challenge

A formal challenge to Privacy Shield has been brought by the French privacy advocacy group, La Quadrature du Net. On the other side, Privacy Shield’s survival is supported by the European Commission and the governments of several countries, including the UK and the U.S., as well as Digital Europe (the leading trade association for digital industries in Europe).

On July 1 and 2, 2019 the General Court of the EU will hear arguments as to the validity of Privacy Shield. A decision is expected a few months after that.

Are There Alternatives?

If the court invalidates Privacy Shield, businesses will need to move swiftly to ensure that there are no interruptions to their data flow. For frequent data transfers, the following alternative measures should be considered:

• Binding Corporate Rules (BCR) are expensive and complex to implement but are a good tool for large multi-nationals and legitimate all data transfers within an organisation’s group.

• Standard Contractual Clauses (SCCs). The most widely used basis for data transfers, these are European Commission-approved clauses in a standard form that can be inserted into contracts allowing EU-U.S. data flows. However, SCCs are themselves subject to challenge, in this case by Max Schrems (the individual behind the challenge to Safe Harbor). A hearing to determine the validity of the standard contractual clauses is set for July 9, 2019 with judgment expected in the autumn.

Comment

Until other potential methods set out in the GDPR (such as codes of conduct or certification mechanisms) are approved and available there remain limited options for organisations needing to transfer personal data outside of the EEA. As such, the upcoming decisions will be of great importance to organisations relying on Privacy Shield or Standard Contractual Clauses. Whilst invalidation of these mechanisms would likely have no formal grace period, we would expect data protection regulators to act proportionately in the immediate aftermath of such a decision to allow businesses to implement alternative arrangements. In addition, we note that the hearing of the Privacy Shield challenge will be before the EU General Court and we would expect any decision to be promptly appealed to the Court of Justice of the EU.