The European Court of Justice's ("ECJ") has struck down the EU-US Privacy Shield Framework. Following the ECJ's 2015 decision to invalidate the EU-US Safe Harbor agreement, the previous framework in place that attempted to ensure adequacy between EU and US cross-border data transfers, today's opinion has invalidated the European Commission's highly enforced, and commonly used data transfer data mechanism between the EU and US.
In its ruling, the Court claimed that Privacy Shield fails to sufficiently limit U.S. government access to personal data about EU data subjects to that which is strictly necessary and proportional or to provide actionable judicial redress.
The irony, of course, is that many EU member states have similar surveillance laws as the US. And comparison among them is difficult, since actual practices of intelligence authorities within Member States are cloaked in secrecy, and laws are complex and fragmented. Moreover, due to constitutional limitations on the EU’s jurisdiction to legislate matters of national security, the legal situation in the EEA Member States is nowhere near uniform. For example, in some EEA Member States, senior police or military officers can issue search warrants.
On the subject of Standard Contractual Contracts, however, the Court concluded that individual agreements that facilitate the global transmission of EU data are valid, but risks involved with contracting particular data transfers to third countries have to be taken into account. According to the Irish Data Protection Authority, "in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable."
Much remains uncertain at this point. But this much we know. The EU's High Court has invalidated a highly enforced mechanism, on which more than 5,000 U.S. companies depend, and will certainly cause uncertainty in the near future, and result in insurmountable credibility challenges for the future of cross-border data transfers.
For companies currently certified under Privacy Shield, the Commerce Department warns you must remain in full compliance.
"The Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. Today’s decision does not relieve participating organizations of their Privacy Shield obligations."
Finally, lest we forget, Swiss-US Privacy Shield Framework remains in effect.
To read the Court's full opinion, click on the link below. For a review of national surveillance laws across the globe, check out our Global Surveillance Survey:
"In the light of all of the foregoing considerations, it is to be concluded that the Privacy Shield Decision is invalid."