EU Court Strikes Down EU-US Privacy Shield; Keeps Standard Contractual Clauses in Place

Back in September 2018, I went on record saying that unless the US developed better privacy laws, it was only a matter of a year or two before the Privacy Shield was invalidated. That day has come. Max Schrems is a very happy man today.

Today (July 16) the Court of Justice of the European Union declared invalid the Privacy Shield agreement between the U.S. and EU on data transfers over concerns that the U.S. can demand access to consumer data for national security reasons. The Court pointed to the ease with which the US government can collect and see user data indiscriminately as a major factor in the case, stating there are “limitations on the protection of personal data arising from the domestic law of the United States on the access and use by U.S. public authorities of such data transferred from the European Union to that third country.”

For now, some types of data (e.g., email, flight and hotel reservations) are not affected in the short term, and cloud services by providers like Microsoft can continue, PENDING INTERVENTION FROM A REGULATORY AGENCY (caps mine).

Now the US finds itself without an easy method for transferring data between the US and Europe. Under the Privacy Shield agreement, companies could "self-certify" that they are providing adequate security Companies must now use the Standard Contractual Clauses defined by that require businesses to comply with strict EU privacy regulations when transferring almost all types of data from the EU to the US. The Clauses are used to ensure the EU rules are maintained when data leaves the EU bloc. The Court ruled Thursday that those Clauses are still valid in principle. 

The Court also stated that in cases where there are concerns about data privacy, EU regulators should vet, and if needed block, the transfer of data. That raises the prospect that EU regulators will block Facebook/Google/others, for example, from transferring any more European data to the U.S. This creates huge legal uncertainty for the innumerable number of businesses that rely on the old Privacy Shield for data transfers.

While I expect the changes won't happen overnight (except perhaps in the case of Facebook or Google), companies now need to begin putting Standard Contractual Clauses in place to ensure uninterrupted data transfer. But whatever long term solution is arrived at, the EU is now certain to ensure it enforces GDPR and other EU privacy regulations for all EU data leaving the bloc.