On July 16, 2020, the European Court of Justice struck down the popular EU-U.S. Privacy Shield tool, a cross-border data transfer mechanism, due to a determination that the United States fails to adequately uphold EU privacy laws. The court found that the Privacy Shield does not provide sufficient protections on EU residents’ data from government surveillance when transferred to the United States; however, the court will continue to allow standard contractual clauses as an alternative means of transatlantic data transfer, albeit with stringent conditions in place.
Many are considering this ruling to be a big win for personal data protection; however, there is still a significant amount of uncertainty on the path forward without the Privacy Shield as an option. Over five thousand U.S. businesses that utilize the data transfer system, including Google and Facebook, will now need to reevaluate how they plan to compile and store the data of their European customers in the future and if standard contractual clause processes are reliable enough to effectively do so. If these companies cannot find a solution in compliance with the court’s decision, they risk having to shut down all EU-U.S. data transfers completely.
Irish Data Protection Commissioner Helen Dixon, who is the EU's lead supervisory authority for major tech companies including Facebook and Google, said in a statement released shortly after the court issued its ruling that although standard contractual clauses are still valid, given the concerns about the inability of U.S. law to prevent intelligence officials from broadly accessing EU citizens' data, "the application of the standard contractual clauses mechanism to transfers of personal data to the United States is now questionable." She elaborated during a panel discussion that while her office hasn't made a definitive decision as to whether standard contractual clauses still provided a lawful basis for transferring data to the U.S., "we wanted to put our cards on the table that the rush by some to suggest [standard contractual clauses] are automatically the solution to the five-and-a-half thousand companies impacted by the Privacy Shield invalidation, we haven't swiftly come to that conclusion."
It remains to be seen when and how EU authorities will enforce this decision, but at a minimum, companies who transfer data out of the EU must ensure not only that the standard contractual clauses are implemented, where necessary, but that they can be complied with in practice.
For more information on how these could impact your business, contact: