Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.
On July 16, 2020, the European Court of Justice (CJEU)―the “supreme court” of the European Union (EU)―issued a surprise decision1 that for the second time in five years completely invalidates the special EU-to-U.S. personal “data export” mechanism, now called the “Privacy Shield.” The CJEU’s decision also placed some doubt on the viability of an alternative data transfer mechanism known as “model contracts” or “standard contractual clauses,” which many U.S. multinationals also rely on to transfer human resources (HR) data from the EU to the U.S. legally.
What “Privacy Shield” was: Under the EU’s data protection law, the General Data Protection Regulation (GDPR), parties in Europe can legally transfer personal data (including HR data) to a third country outside the EU, including to the United States, only if that country’s laws ensure an “adequate level of protection” for personal data. Unfortunately, in this regard the EU does not consider U.S. law “adequate.” Therefore, in 2016, the EU and United States negotiated “Privacy Shield” as a special program establishing a simplified mechanism for EU companies―including the EU affiliates of U.S. multinationals―legally to “export” (send or transfer) personal data from the 28 EU Member States to the United States.
The U.S. Department of Commerce administered Privacy Shield. Under it, U.S. companies self-certified that they process Europeans’ personal data, for operations in the United States, in a way that provides GDPR-like protections. Therefore, under Privacy Shield, a business in the EU could legally send GDPR-regulated personal data to a Privacy Shield-certified company in the United States, which could then “process” the European data without violating the GDPR.
In short, until now, entities in Europe―including American companies’ European affiliates―could legally transfer personal data, such as employee data, to a Privacy Shield-certified entity in the United States without violating GDPR. Now, Privacy Shield is no longer a permitted data transfer mechanism.2
This is strike two for the special EU-U.S. program: We have been through this before. Back in 2015, Max Schrems―the same Austrian privacy advocate litigant who just won the new case―succeeded in invalidating a similar, predecessor data-export channel called the “EU-U.S. Safe Harbor Framework.” After the CJEU invalidated Safe Harbor in 2015, the European Commission and the United States replaced Safe Harbor with a “2.0” version, Privacy Shield. Now even the “2.0” version is dead. Whether the European Commission and the United States will negotiate a 3.0 version is too early to say. If they do, it could take time to accomplish. Or this might be the final “nail in the coffin” for the special data privacy program.
What the new ECJ decision means for U.S. companies: While Privacy Shield was a means for legally exporting personal data from Europe to the United States, it was never the only data transfer mechanism. So now, entities that used Privacy Shield to export personal data to the United States need to switch to a different, GDPR-compliant mechanism.
One possible alternative is called model contracts or standard contractual clauses―controller-to-processor or controller-to-controller. “Model contracts” are EU-approved standard contracts entered between “data exporters” in the EU, such as EU subsidiaries of a U.S. multinational, and “data importers” in the United States, such as a U.S. parent corporation and its U.S. affiliates. In essence, after a European party exports personal data under a “model contract,” the recipient party outside the EU must process the data consistent with standard contract clauses that mirror GDPR requirements.
Fortunately, under the new CJEU decision, model contracts remain alive. The new decision expressly says model contracts comply with GDPR. But that said, the new decision opens the door to future challenges to model contracts. The various European country (“member state”) data enforcement agencies might prohibit or suspend exports of personal data from their countries under model contracts―if they conclude model contracts “are not or cannot be complied with in th[e recipient] third country” because of local legal requirements.3
In fact, as a result of the new CJEU decision, this issue will come up soon in the Irish courts, where the underlying case is being litigated. (In a follow-up article, we will examine in detail whether U.S. companies can continue to rely on model contracts as a lawful way to transfer personal data from the EU to the United States).
What to do now: The website www.privacyshield.gov/list has an interactive list of the 5,300 Privacy Shield-certified companies. If your company is on this list―or if your company’s European operations transfer personal data to a service provider on this list (say, a payroll provider, benefits administrator, whistleblower hotline provider or other U.S.-based HR services provider)―then you need a new data transfer mechanism, which most likely will be model contracts. Your organization will need to evaluate the risks of relying on model contracts created by the CJEU’s decision.
1 ECJ Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems. It invalidates Privacy Shield, EU Decision 2016/1250. It reinforces the continued viability of “model contractual clauses,” including as instituted by EU Commission Decision 2010/87.
2 Id. at paras. 199-201.
3 Id. at para. 121.