EU Court Invalidates Privacy Shield

Blanket compliance with GDPR had protected thousands of U.S. companies

Concluding that it does not sufficiently protect data transferred from the EU to the U.S., the EU’s Court of Justice has invalidated the “privacy shield.” 

Related: FTC Cracks Down on Alleged Privacy Shield Pretenders 

The decision, which affects some 5,00 companies, will likely ramp up calls for Congress to pass the data privacy protection legislation both sides have said they support but have failed to agree on. 

The privacy shield replaced the safe harbor agreement that a European Union court invalidated in October 2015 over concerns about the U.S. being able to hold up its end of the agreement given the government surveillance revealed by the Edward Snowden leaks. The voluntary framework requires companies to provide notice of what personal information is being collected and stored, the purposes it is used for, and an “opt out” mechanism.

The shield was a way for those U.S. companies to be considered in compliance with the EU’s General Data Protection Regulation simply by signing on to the shield’s data protection guarantees rather than having to come up with individual policies and agreements to comply with the GDPR protections of cross-border data flows. 

But the court concluded the U.S. was not able to hold up its end of the agreement about protecting that data. 

The Department of Commerce said Thursday (July 16) that it is reviewing the decision but that, in the meantime, it will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification. “Today’s decision does not relieve participating organizations of their Privacy Shield obligations,” it said.

The FCC under former chairman Tom Wheeler approved privacy rules, but they were invalidated by the Congress despite pushback by privacy groups and Democrats who called for a privacy “bill of rights.” 

Related: FCC, FTC Chairs Defend Privacy Rules Rollback

“In the view of the Court, the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country, which the Commission assessed in Decision 2016/1250, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law,” the decision held. 

The European Union gave a thumbs up to the EU-U.S. Privacy Shield in its first annual review back in 2017, though the annual report said it could still use some work.

“While the Department of Commerce is deeply disappointed that the court appears to have invalidated the European Commission’s adequacy decision underlying the EU-U.S. Privacy Shield, we are still studying the decision to fully understand its practical impacts,” said Secretary Wilbur Ross in a statement. “We have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments. Data flows are essential not just to tech companies—but to businesses of all sizes in every sector. As our economies continue their post-COVID-19 recovery, it is critical that companies—including the 5,300+ current Privacy Shield participants—be able to transfer data without interruption, consistent with the strong protections offered by Privacy Shield.” 

“The interruption of transatlantic data flows resulting from this decision is a significant setback for all businesses and industries in the U.S. and EU who relied on Privacy Shield and hampers their ability to conduct day-to-day operations—everything from accessing the cloud to managing human resources and running payroll,” said ITI president Jason Oxman. “The Court’s decision negatively affects the two economies’ shared efforts to facilitate trade while providing necessary privacy protections for EU citizens.” 

Related: EU Says Privacy Shield is Working

“This decision creates legal uncertainty for the thousands of large and small companies on both sides of the Atlantic that rely on Privacy Shield for their daily commercial data transfers,” said Computer and Communications Industry Association public policy senior manager Alexandre Roure. “We trust that EU and U.S. decision-makers will swiftly develop a sustainable solution, in line with EU law, to ensure the continuation of data flows which underpins the transatlantic economy. We hope enforcement authorities will grant Privacy Shield signatories time to migrate to alternative legal mechanisms.”