On July 16, Europe’s highest court, the Court of Justice of the European Union (“CJEU”), released a landmark decision in Schrems II, complicating the process of transferring personal data from the EU to the US. CJEU struck down the EU-US Privacy Shield, an agreement reached between the EU, Switzerland, and the US in 2016.
Purpose of the Privacy Shield
Because the EU has a higher standard for data privacy than the US, the EU-US Privacy Shield was “designed . . . to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States.” Under the Privacy Shield, US companies could legally transfer EU user’s data as long as they complied with twenty-three requirements. Before the Schrems II decision, more than 5,000 US companies, including tech giants like Google, Facebook, and Twitter, relied on the Privacy Shield to transfer EU user’s data to their servers located in the US.
Why the Privacy Shield was Struck Down
The CJEU stated that US surveillance laws “are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law.” More specifically, the Court said, “US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred,” and “the surveillance programmes based on those provisions are not limited to what is strictly necessary.” Therefore, neither the Privacy Shield nor the companies were the Court’s main concern. Rather, the CJEU’s main concern was that US surveillance laws, such as the Foreign Intelligence Surveillance Act (“FISA”), could violate EU users’ fundamental rights of privacy.
Following the decision, Wilbur Ross, the US Secretary of Commerce, said that the Department of Commerce is “deeply disappointed” and hopes to limit the negative consequences to the “$7.1 trillion transatlantic economic relationship.” Although the Department of Commerce will continue to monitor the Privacy Shield for now, companies that are relying on the Privacy Shield must begin finding other ways to transfer EU users’ data.
Available Alternatives & Next Steps
The decision did not forbid all means for US companies to transfer EU users’ data. The CJEU held that companies can still rely on Standard Contractual Clauses (“SCCs”) to transfer users’ data because they allow “companies to seek specific consent from users for data to be exported.” However, the Court added that companies using SCCs “need to ensure that any country they transfer data to offers ‘essentially equivalent’ protection to the EU.” This puts a great burden and confusion on companies, especially small businesses. To remedy any confusion, courts will need to provide guidance on how to use SCCs – preferably, sooner rather than later.
While US companies can switch or continue to use SCCs for data transfer, SCCs are a burden for both companies and regulators because SCCs are implemented on a case-by-case basis. The burden imposed by SCCs makes this an unviable solution. Instead, the EU and the US will need to work together to craft a new agreement. The success of this new agreement, however, may be dependent on whether the US makes any change to its surveillance laws. Without such a change, it is very likely that any new agreement will eventually meet the same fate as the Privacy Shield.
Haodi Dong is a second-year law student at Wake Forest University School of Law. He holds a Bachelor of Science in Applied Mathematics and a Minor in Philosophy from the University of California, Davis. After graduation, he intends to practice corporate and intellectual property law.