European Court of Justice Strikes Down Part of European/US Personal Data Transfer Framework

Overview: A recent European court ruling on handling of EU citizen personal information now challenges non-European businesses, especially those in the US, on maintaining compliance with the GDPR, given US government access to this data.

As reported in the July 16, 2020 Wall Street Journal, The European Court of Justice ruled current US practices intended to comply with EU General Data Privacy Regulations (GDPR) are no longer valid.

This issue came to the Court’s attention in a case involving an Austrian, Max Schrems, who argued that Facebook should not be permitted to transfer EU citizens’ data to the US and store it there because that data may be accessed by US government entities.

This ruling now restricts organizations that seek to transfer and store EU citizen personal information outside of the EU to any other country not determined as having data privacy safeguards in line with the GDPR. Prior to the ruling, the European Commission indicated that the only countries that ensure an adequate level of protection to meet the GDPR standard are Andorra, Argentina, Canada (only for commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to companies certifying to the Privacy Shield framework).¹

US companies could only meet this standard through specific agreements designed to comply with the EU’s GDPR. Many large companies entered into binding corporate rules (BCRs), which are sophisticated contracts and procedures designed for large multinationals to meet EU standards.  Other, mostly smaller, companies certified to the EU/US Privacy Shield framework (which replaced the old EU/US Safe Harbor framework) provided through the US Department of Commerce with the EU’s endorsement. Currently, over 5,300 organizations are signatories to the EU/US Privacy Shield framework.

With the Court’s new ruling, these options largely fail to meet the EU standard. Under what’s called the third-party doctrine accepted in the US, individuals who provide their personal information to a third party, such as a bank, Internet service provider, or others, do not have an expectation of privacy. This, in turn, can mean that the US government can obtain this personal information without a legal warrant.  This doctrine has been used by US authorities to access EU citizen data stored in the US and is what the European Court balks at—that the US regime does not permit European citizen to have an absolute right of privacy.

The Court’s verdict has just been announced. The US and EU privacy communities are still assessing the Court’s opinion and what can be done. Given the amount of cross-border high technology business between the US and Europe, clearly the business community wants to find a solution.

Early thinking on resolution measures include the following:

• US companies could encrypt EU citizen personal information during data transfer and storage so US authorities cannot access it.
• US companies might deploy servers in the EU specifically to store EU citizen personal information.

Meanwhile, businesses that serve as a “controller” of customer, consumer, employee or other EU citizen personal information that is transferred to/stored in the US or other countries with inadequate safeguards will want to:

• Closely watch efforts to resolve this legal dispute to see if EU and US parties can find a solution within the current framework;
• If the framework negotiations become drawn out, monitor what peer organizations are doing individually to address this problem, given that EU regulators at some point will enforce the Court ruling;
• Understand their exposure to handling/transferring EU citizen personal information to know the risks they face.

Any business that serves as a “processer” of this personal information on behalf of a controller may expect controller organizations to reach out in coming weeks to explore new arrangements to further protect EU citizen personal information.

Notes

¹EU Adequacy Decisions (How the EU determines if a non-EU country has an adequate level of data protection); https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en