Privacy Shield annulment prompts new uncertainty over EU-US data transfers

A landmark ruling by the EU’s top court on international data flows will lead to more legal uncertainty for thousands of companies that use an EU data transfer mechanism, prompting some to call for a grace period to adjust to the new environment.

Companies sending data from the EU to the US will be far more restricted after today's ruling. Beyond annulling the Privacy Shield, the court also placed strict conditions on the use of another data-transfer mechanism, known as standard contractual clauses, or SCCs.

Without the Privacy Shield, companies must find another way to legally transfer data outside of the 27-nation bloc. The problem is that if they turn to SCCs — the most widely used mechanism that is still valid — they must judge whether the national laws where the data is exported are in conflict with the data-protection obligations in the SCCs.

The Court of Justice said companies “are required to verify, prior to any transfer, whether the level of protection required by EU law is respected in the third country concerned.” This obligation will put a huge burden on the more than 5,300 companies that currently use the Privacy Shield.

Multinational companies may have the capacity to handle these obligations, but small EU companies may struggle to perform a detailed examination of the circumstances surrounding each transfer. How will they know how to assess the surveillance laws in the US, China or India?

Small businesses currently account for about 70 percent of SCC users, according to the Computer and Communications Industry Association, which called on enforcers to give companies time to adapt to the rule change.

“We trust that EU and US decision-makers will swiftly develop a sustainable solution, in line with EU law, to ensure the continuation of data flows which underpins the transatlantic economy,” said the CCIA’s Alexandre Roure. “We hope enforcement authorities will grant Privacy Shield signatories time to migrate to alternative legal mechanisms.”

BusinessEurope’s director general Markus Beyrer agreed. “We have to find an intermediate solution for the companies,” he said. “We need some kind of moratorium on application of penalties.”

More enforcement

The court, however, said that EU data-protection authorities are obliged to suspend or prohibit data transfers in cases where surveillance laws violate EU data-protection principles and the companies did not take action.

Max Schrems, the Austrian privacy activist who mounted the original challenge against Facebook’s transfer of data to the US, is convinced that Ireland’s Data Protection Commission will be obliged to rule against the transfers. He called the SCCs "de facto dead."

If a company continues to transfer data that’s not in line with EU fundamental rights, it could face fines of up to 4 percent of global annual revenue or 20 million euros ($23 million), whichever is higher. Companies could also face lawsuits from people claiming that their data-protection rights have been violated.

So, even though today’s decision goes some way in ending years of unease over the validity of SCCs, companies are on the hook for complicated assessment of national security laws. In practical terms, this would be very difficult for most companies.

What comes next?

EU and US negotiators are likely to try to broker a new agreement on international data transfers. The first talks between US and EU officials to assess the judgment will be held tomorrow; but a new deal will be a tall order during an election year in the US.

The European Commission will also continue its work to modernize the SCCs in light of today’s ruling and the EU’s General Data Protection Regulation, which took effect in May 2018. The commission has held off issuing new SCCs until the ruling.

Věra Jourová, who leads the commission’s work on values and transparency, said today that her team would work with national data-protection authorities to update data-transfer mechanisms.

While the Schrems decision avoids a major catastrophe for companies, there are still many uncertainties ahead. Companies will be vigilant about how changes to SCCs will affect their international data transfers, to avoid any unpleasant surprises in the future.