(Getty Images)
This issue is a big deal, but one that comes as little surprise to those following subject. As you may have already heard, the Court of Justice of the European Union (ECJ) recently ruled that the current data transfer agreement between the European Union and the United States known as the “Privacy Shield” did not provide adequate protections for the data of EU citizens when such data is transferred to the United States. That’s right — barely four years old, the Privacy Shield in its current form is dead. This is not the first rodeo when it comes to United States-European Union data-transfer harmonization, but the recent ECJ ruling definitely acts as a second strike and does not bode well for an easy fix to an already complicated situation.
Some necessary background will help provide some understanding why this is a big deal. As I have written here before, there is no comprehensive federal statutory approach in the United States to the privacy of personal information. Such information can be collected without the specific consent of the individual at the outset, subject to specific notice, consent, onward transfer, and other requirements after the fact. The European Union has taken a different approach — it acknowledges that “personal data” is owned by the individual, and the individual must provide informed consent to the use of such personal data. Without getting into the weeds here, suffice it to say that the EU’s focus on the individual resulted in the passage of Directive 95/46/EC (Data Privacy Directive) to protect individuals in the processing of their personal data and and the “free movement of personal data” within the European Union and the European Economic Area (EEA). Simply put, the European Union and United States took different approaches to personal data privacy, causing problems in personal data flow from the European Union to the United States. As a result, the cross-border data flow of personal information from the European Union to the United States needed to be “harmonized.”
The first attempt at this “harmonization” was the International Safe Harbor Privacy Principles developed in the late 1990s to create a framework for private organizations regarding the handling of personal data within the European Union, Switzerland, and the United States to protect it from improper disclosure or loss. This resulted in the U.S. Department of Commerce’s “Safe Harbor” — a way for U.S. companies to “opt-in” and self-certify that they adhered to these principles (as well as 15 frequently asked questions and answers per the Directive), thereby providing “adequate assurances” concerning the privacy of such personal information. Even though the European Commission ruled in favor of the Safe Harbor in 2000, the Safe Harbor was overturned in 2015 in a case brought before the ECJ, in no small part due to the Snowden revelations regarding NSA surveillance and its access to vast amounts of private data in contravention of the International Safe Harbor Privacy Principles.
Following this decision, U.S. companies started relying on standard contractual clauses (SCCs) and binding corporate rules (BCRs) approved by the European Commission to govern such data transfers. Then the General Data Protection Regulation (GDPR) was passed in 2016 as a long-needed update to the Data Privacy Directive, with an effective date slated for May 2018. In the midst of all this, the European Commission and the United States came up with the Privacy Shield to improve data protection for trans-border flows of personal information from EU citizens to the United States post-Safe Harbor. The EU-U.S. (and Swiss-U.S.) frameworks for Privacy Shield “were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.” The European Commission held this framework to be “adequate” so as to permit trans-border flow of personal data from the European Union to the United States (with the Swiss government following suit in January 2017). Fast forward to 2020 (with the GDPR now effective), and low and behold, the Privacy Shield is struck down by the ECJ, invalidating the Privacy Shield framework as inadequate (i.e., it’s Safe Harbor under another name) with no grace period to wind-down. In a way, it’s déjà vu all over again.
Please forgive the blatant skeleton timeline above, but it provides an important contextual point — trans-border flow of personal data from the European Union to the United States has a long history, and not a simple one. U.S. companies now no longer enjoy the streamlined approach for such transfers afforded by the original Safe Harbor and the now-invalid Privacy Shield. Why does this matter? This affects not only large service providers (such as Google) and social media sites (such as Facebook) used worldwide, but many U.S. companies doing business internationally with the EU and EEA. With the GDPR regulatory requirements now in place concerning the transfer of “personal data” from EU “data subjects” to data controllers and data processors outside the EU, this issue is one U.S. companies cannot ignore.
Thankfully, all is not lost. Here is some food for thought:
- Think About SCCs. The ECJ decision did not invalidate SCCs. That said, the ECJ made it clear that the SCCs are not enough — an update from the European Data Protection Board clarified that “supplementary measures” must be used together with SCCs for such “adequate assurances” to be supported, taking into account the circumstances of the data transfers. What are such “supplementary measures”? Good question.
- Think About BCRs. BCRs were developed in the EU under the DPD to permit intra-organizational transfers of personal data across borders. BCRs were also not rendered invalid by the recent ECJ decision; however, use of BCRs within multinational business organizations will require “supplementary measures” similar to those referenced for SCCs. Again, what such “supplementary measures entail” remains unclear.
- Think About Data Subject Consent. This is a reasonable focus that is worth further consideration. Article 49 of the GDPR permits transfer of personal data from the EEA to the United States if certain derogations are met, such as explicit consent from the data subject, specific to the particular data transfer, and outlining the potential risks of the personal data transfer. This may or may not work in many circumstances, but in a post-Privacy Shield world, every reasonable option needs to be on the table.
Needless to say, the above bullets are not exhaustive, and there is a lot to think about here, especially in light of GDPR compliance. Hopefully, the Department of Commerce with work with the European Union for a viable new framework post-haste. No question about it — the home team is down by a run with bases loaded in the bottom of the 9th inning, with two outs and the batter already has two strikes against him. Whether the next pitch is a hit or a strike out remains to be seen. For the sake of U.S. companies, let’s hope it’s the former.
Tom Kulik is an Intellectual Property & Information Technology Partner at the Dallas-based law firm of Scheef & Stone, LLP. In private practice for over 20 years, Tom is a sought-after technology lawyer who uses his industry experience as a former computer systems engineer to creatively counsel and help his clients navigate the complexities of law and technology in their business. News outlets reach out to Tom for his insight, and he has been quoted by national media organizations. Get in touch with Tom on Twitter (@LegalIntangibls) or Facebook (www.facebook.com/technologylawyer), or contact him directly at tom.kulik@solidcounsel.com.
