EU Court Ruling Complicates U.S. Firms’ Data Privacy Plans

This article was originally published in the New Hampshire Business Review and can be found here.

Douglas Verge | August 13, 2020

A recent decision from Europe interpreting the EU’s General Data Protection Regulation (GDPR) significantly changes the way businesses in the United States can access and share the personal information of individuals located in the European Union and European Economic Area.

The GDPR is designed to protect the rights and freedoms, including the important privacy right, of individuals located in the EU/EEA. One of the protections is a requirement that transfer of an individual’s personal information outside of the EU/EEA may only take place upon compliance with at least one of the lawful bases for such transfer identified in the GDPR.

One such basis is where the appropriate European authority has determined that transfer of personal information to a country or organization/business within that country is safe because there are laws in place in that country that afford protection to data subjects comparable to the protections afforded them under the GDPR.

Until recently, the United States was the recipient of such an adequacy decision as a result of the agreed upon EU-US Privacy Shield framework, which allowed participants to self-certify compliance with the Privacy Shield requirements.

However, on July 16, the Court of Justice of the European Union (CJEU), invalidated the EU-US Privacy Shield. Furthermore, it appears from the decision that there is no grace period, meaning that the invalidation is to have immediate effect.

Given that thousands of US companies have self-certified under the Privacy Shield, this decision obviously presents a significant predicament for both European and US businesses with regard to the transfer of personal information from Europe to the United States (as well as downstream transfer of that information by the initial recipient in the United States to other businesses outside the EU or EEA).

The CJEU based its conclusions on two key findings.

First, it concluded that the Privacy Shield did not adequately prevent federal government authorities from accessing the personal information of data subjects.

Second, it concluded that the Privacy Shield, even with its ombudsperson framework, did not provide adequate remedies for data subjects to enforce their rights.

The United States is considering the ramifications and how to address the decision. The Department of Commerce has said it will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield framework and maintaining the Privacy Shield list, noting that the CJEU decision does not relieve participating organizations of their Privacy Shield obligations.

Obviously, businesses now need to find and rely on an alternate lawful basis for the transfer of personal information from Europe to the United States.

One such basis is utilization of the so-called “standard contractual clauses” promulgated by the European Commission. Once agreed to and put in place by the sending and receiving parties, these standard contractual clauses have been deemed to provide an adequate basis for protection of the personal information of data subjects because of the protections for data subjects built into them.

In upholding the validity of the standard contractual clauses as an adequate basis under the GDPR, the CJEU did point out that there may be circumstances under which the use of these clauses might not be a sufficient means of ensuring, in practice, the effective protection of personal data transferred outside the EU/EEA, such as where the law of the country of the recipient allows its public authorities to interfere with the rights of the data subjects to which that data relates.

The court noted that by their inherently contractual nature, standard data protection clauses cannot bind the public authorities of third countries, in which case it may be necessary to supplement the guarantees contained in those standard data protection clauses.

Unfortunately, the court did not elaborate as to what those supplementations would be. It did state that a controller established in the European Union and the recipient of personal data are required to verify, prior to any transfer, whether the level of protection required by EU law is respected in the third country concerned. If an adequate level of protection cannot be ensured, then the transfer outside the EU/EEA may not take place.

Unless and until the United States enacts a federal privacy law that is deemed adequate by European authorities to protect the rights of data subjects, or enters into a framework similar to the Privacy Shield that remedies the shortcomings cited by the CJEU, EU/EEA and US businesses will have to rely on the standard contractual clauses or one of the other lawful bases set out in the GDPR (or even use processors or co-controllers located in the EU/EEA or another country whose protections are deemed adequate). Importantly, when relying on the standard contractual clauses, it will be important to undertake the due diligence and address the concerns raised by the CJEU as potential impediments to the use of those clauses.

At the end of the day, this case demonstrates the need for the United States to enact a comprehensive federal privacy law. The European situation is not the only one that calls out for such a federal law. California and many other states have enacted or are in the process of enacting their own versions of a comprehensive data privacy law.

Unfortunately, while many of these laws may have similar structures and provisions, they are not identical. The difficulty of trying to understand and comply with every state privacy law is obvious. That being said, unless the comprehensive federal law specifically preempts the state laws, companies will be left not only trying to comply with each state law, but also a new federal law to as well.

***

Doug Verge, a shareholder at the law firm of Sheehan Phinney, is a Co-chair of its Data Privacy and Security Law Practice Group and a member of its Intellectual Property Law Practice Group..