Businesses Press for Quick Resolution After Privacy Shield Annulment

The case grew out of an earlier challenge by Max Schrems against Facebook's transfer of his personal data to the U.S., the high court noted. The ECJ tossed out PS' predecessor, Safe Harbor. Afterward, the Irish Data Protection Commission, which was handling the matter, asked Schrems to revise his complaint in light of the ruling. Schrems then claimed the U.S. doesn't provide enough protection for his personal data and asked that such data flows be halted. Ireland asked the ECJ to give a preliminary ruling. After the proceeding began, the European Commission approved PS. The Irish high court then asked the ECJ whether the general data protection regulation applies to transfers of personal data under PS and what level of protection is required under the GDPR.

The Commerce Department is “deeply disappointed” and studying the “practical impacts,” said Secretary Wilbur Ross. The department is in close contact with the European Commission and European Data Protection Board and hopes to “limit the negative consequences to the $7.1 trillion transatlantic economic relationship,” he said. The U.S. tried to give the court a full understanding of “U.S. national security data access laws and practices and how such measures meet, and in most cases exceed, the rules governing such access in foreign jurisdictions,” the department said. Commerce will continue administering the PS, “including processing submissions for self-certification and re-certification” and maintaining the participant list, it said. “Today’s decision does not relieve participating organizations of their Privacy Shield obligations.”

In finding PS invalid, the ECJ said data transfers to third countries must offer data protection essentially equivalent to that given by the GDPR. Data protection authorities must suspend or bar transfers to countries whose level of protection can't be assured. The court said mechanisms for determining whether transfers are allowed are sufficient. But it said PS is invalid because U.S. use of Europeans' data for surveillance isn't limited to what's strictly necessary; and there are no guarantees against potential abuse of data for targeted non-U.S. citizens. The ombudsman system has no redress system and the ombudsman lacks power to make binding decisions against U.S. intelligence agencies, the decision said.

The court once again clarified there's "a clash between EU privacy law and US surveillance law," Schrems wrote. He said the U.S. should enact surveillance revision, which is "crucial for the business interests of Silicon Valley." Facebook welcomed the ruling confirming the validity of standard contractual clauses (SSCs), said Associate General Counsel Eva Nagle. The company would now like regulatory guidance, she said.

The EC will decide on a way forward, and is in contact with its U.S. counterparts to try to ensure the continuity of data flows, a spokesperson emailed. Meanwhile, companies can use SCCs and binding corporate rules, among other tools, he added. The judgment "confirms the concerns reiterated on numerous occasions" by the European Parliament, said Civil Liberties Committee Chairman Juan Fernando Lopez Aguilar, of the Socialists and Democrats and Spain.

The ruling that U.S. surveillance powers are excessive "goes further than the opinion ... by the Advocate General, and will hugely impact the thousands of US based Privacy Shield registrants," emailed Linklaters (Brussels) data protection attorney Tanguy Van Overstraeten. Large companies have complex webs of data transfers with hundreds of overseas recipients, but the court made it clear they can't justify them using a "tick box" exercise of putting SCCs in place. Instead, he said, the risks with those transfers will now have to be properly assessed. The criteria may be burdensome for many companies, and data protection authorities may be encouraged to "clamp down on international transfers more aggressively, with the possibility of transfers to jurisdictions with strong state surveillance powers becoming increasingly difficult." That opens up a "significant debate" on transfers to the U.S., he said: "For the thousands of businesses registered with the US Privacy Shield, this will be groundhog day" after Safe Harbor was nixed.

It "creates legal uncertainty" for thousands of companies on both sides of the Atlantic, said the Computer & Communications industry Association. AmCham EU and the Internet Association urged the EU and U.S. to work quickly on a solution. "Now is the time for cool heads on both sides of the Atlantic," said techUK CEO Julian David. He stressed the need for certainty in the short term and a quick return to negotiations. Such groups sought a transition period and other mechanisms so as not to disrupt current data flows.

The ruling won't have the same impact on all players, telecom consultant Innocenzo Genna blogged. U.S. companies offering Europe-based EU services such as cloud, managed via servers in Europe, likely won't be affected. For those offering digital services and managing data through facilities in the U.S., such as free services focused on profiling and advertising or consumer services commercialized in free or "freemium" models, the ruling may make data transfers to the U.S. harder, he wrote.

"The 'shield' was full of cracks and loopholes, said the European Consumer Organisation: In the context of trade talks, it's a reminder citizens' rights can't be used as bargaining chips. The EC "must not again betray fundamental European values and bow to the U.S. government and the business lobby," said Member of the European Parliament Patrick Breyer, of the Greens/European Free Alliance and Germany.

Whether it’s GDPR, “digital services taxes, or data localization requirements, it is clear Europe is targeting American tech companies,” said House Commerce Committee ranking member Greg Walden, R-Ore., and House Consumer Protection Subcommittee ranking member Cathy McMorris Rodgers, R-Wash. “But our shared interests and values should outweigh these shortsighted and misguided policies.” The EU isn’t applying the same standards to other countries with “no concern for protecting consumer data,” they added.

The FTC deferred to Commerce. It’s reviewing closely the decision, “which is based on national security issues,” a spokesperson said. “We defer to our Department of Commerce and other U.S. government colleagues on these issues.”

It’s unlikely U.S. and EU officials will strike a deal on any agreement resembling the PS, said Hunton Andrews' Lisa Sotto, calling this a “stunning” development that jeopardized thousands of companies’ ability to do business in the EU. The court’s opinion on U.S. surveillance practices leaves America in an untenable position for getting a deal for anything similar, she said. Companies will need to scramble to implement SCCs on an individual basis by country. The only other data transfer mechanisms are binding corporate rules, which take months to validate and aren’t realistic for most business models, she said.

It’s encouraging that the EC and the Commerce Department are in contact, said CCIA Europe Head of Office Christian Borggreen during a Thursday news media call. It won’t be a matter of days or even weeks for accord because there's a lot to examine from the decision, he said: Hopefully, there will be a swift alternative for the PS. There’s clear need for guidance from EU members, he added. CCIA Senior Policy Manager Alexandre Roure responded to Schrems’ claim the decision leaves SCCs effectively dead. The ruling is clear SCCs are valid, and that’s how industry will operate, Roure said.

“The flow of data between the U.S. and E.U. is essential to businesses of all sizes and an incredibly diverse array of beneficial services,” said Software & Information Industry Association CEO Jeff Joseph. “We urge E.U. and U.S. officials to meet immediately to find a path forward.”