European court ruling on Privacy Shield may mean US must reckon with commercial impact of intelligence gathering

The decision by the European Court of Justice to nullify the EU-US Privacy Shield and to limit Standard Contractual Clauses for international data transfers is arguably the most important data-protection ruling in years, a decision that scrambles the existing global data-transfer order.

It's a ruling that raises plenty of questions, but few answers. For the US, the ruling places economic interests in stark conflict with national security, given the European court finding that American intelligence surveillance oversight is “not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law”.

While there will be no immediate interruption of the digital trade between the US and EU that the US Chamber of Commerce values at $7.1 trillion a year, the ECJ ruling means the more-than-5,300 smaller and mid-sized companies that use Privacy Shield, as well as many companies that use Standard Contractual Clauses to transfer data, can’t continue with business as usual.

EU and US officials now will have to decide whether to propose more limited changes to Privacy Shield — a questionable strategy given that the ECJ has struck down both the Shield and the previous Safe Harbor data transfer scheme in October 2015  — or to pursue a completely different, as-yet unknown data-transfer approach.

The ruling could prompt US companies to store more of their data in Europe, perhaps by building data centers there. But that would also raise concerns about the growing global problem of data localization, as nations impose costs, limit access to new markets and potentially trigger more privacy problems as they increasingly assert their sovereignty over the international flow of data.

While the ruling highlights the glaring lack of a US national privacy law among developed nations, that wasn't the basis of the ECJ ruling, which was focused on the oversight of US spy agencies under the Foreign Intelligence Surveillance Act and US Executive Order 12333.

“The problem with the US is that there is no omnibus privacy law,” privacy activist Max Schrems, who brought the case against Facebook that led to today’s decision, told reporters at a briefing yesterday. But even if Congress were to pass a national privacy law, unless it also covered the bulk collection of data of non-US citizens by US intelligence agencies as well as commercial privacy practices, it wouldn’t fix the problem identified by today’s ECJ ruling.

For now, senior US officials acknowledge they don’t really know what comes next, although they will work to limit fallout caused by the ruling. But there could also be opportunity for California, where voters will decide this year whether to move an existing state comprehensive privacy law even closer to the EU’s General Data Protection Regulation.

Today’s ruling also has ramifications for the UK, which as a result of Brexit is trying to negotiate a data-protection adequacy deal with the EU. Like the US, Britain has an active international intelligence network.

Caroline Louveaux, the chief privacy officer for Mastercard, compared her feelings after the ruling today to showing up for a university final exam having not done any preparation for the course. “There is total uncertainty,” Louveaux said on a webinar organized by OneTrust that drew more than 2,000 worried participants.

Water Under Troubled Bridges

There are three commonly used “bridges” to transfer the personal data of EU citizens to other jurisdictions with other privacy laws: Privacy Shield, contractual clauses and Binding Corporate Rules. “I have never been as happy as today that we went for BCRs,” Louveaux  said.

Lara Liss, the chief global privacy officer for the Walgreens Boots Alliance, likened the ECJ decision to a structural engineer who finds problems with the integrity of two train bridges — Privacy Shield and Standard Contractual Clauses — although in this case, the “trains” carry personal data.

“What we heard this morning was that the Privacy Shield bridge is no longer structurally sound,” Liss said. But even with the SCC bridge, companies will have to carefully check the destination and intervening stops of the data, Liss said, because the ECJ ruling means companies will have to decide whether the national laws where the data is exported are in conflict with the data-protection obligations in the SCCs.

“It creates more of an obligation on companies to really look at this very closely” when using SCCs, Liss said.

For California, where enforcement of the privacy provisions of the California Consumer Privacy Act began just this month, EU officials have said the CCPA could allow California and the EU to negotiate an adequacy deal that would allow the free transfer of data without a mechanism such as Privacy Shield.

For California and Europe, “there are no obstacles to have adequacy,” Bruno Gencarelli, head of the European Commission's international data flows and protection unit, said in 2018.

An adequacy ruling could be even more feasible if California voters pass the California Privacy Rights Act as part of a ballot initiative that will be decided in November. The CPRA would move the largest US state even closer to Europe’s GDPR on privacy regulation, and even surpass its protections and sanctions in terms of the privacy of location and children’s data.

Even back in 2015 when the ECJ nullified Safe Harbor, the predecessor of Privacy Shield, it appeared the US would have to make a choice — spying or commerce? And five years later, a key element of today’s ECJ decision had to do with the “Ombudsperson” mechanism set up in Privacy Shield to deal with privacy complaints by Europeans about US intelligence activities.

The court found that the Ombudsperson mechanism lacks actionable rights before the courts against the US authorities, ruling that it “does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law,” according to a court summary of the decision.

For the US, the decision will likely mean federal officials must at last confront the question of whether bulk collection of data from non-Americans by US intelligence services is worth the economic harm of US companies being handicapped from selling their digital services in the 500 million-person European market.

In the confusing aftermath of today’s position, it's impossible to predict how the winner of November's US presidential election will judge that question.