The EU’s high court just demolished the EU-US Privacy Shield…now what?

Last month, in what may seem like a deja vu moment from 2015, the Court of Justice of the European Union (CJEU) surprisingly struck down the EU-US Privacy Shield

The Privacy Shield was the legal mechanism that more than 5,300 organizations used to transfer personal data between the EU and the US. Of the companies that certified to the Privacy Shield, about 65 percent of them were small-medium enterprises or start-ups. Now, those companies are forced to find other ways to comply with European privacy laws.   

What was the EU-US Privacy Shield?

The Privacy Shield was an EU regulatory framework that was designed (in part) to make it more feasible for US-based companies to transfer personal data from EU entities without running afoul of EU privacy laws. 

The EU-US Privacy Shield replaced the International Safe Harbor Privacy Principles, which the CJEU struck down in 2015, by allowing companies to self-certify that they would follow EU privacy rules when transferring personal data from the European Economic Area (EEA).

Why did the CJEU strike down the Privacy Shield? 

Five years after that 2015 ruling, the EU’s high court struck down the Privacy Shield because, in the court’s view, US national security law did not adequately protect EU citizens’ privacy rights. That is because (1) US surveillance law generally authorizes US intelligence agencies to compel US entities to turn over personal data and (2) EU citizens could not seek redress in the US for such mishandling of their data. 

What does that CJEU ruling mean for the games industry?  

For the games industry, most companies found it more advantageous to rely on the Privacy Shield than other legal devices because it was easier to demonstrate their policies complied with EU privacy standards than to craft individual user agreements that adhered to those privacy standards. 

Now, those companies – and many EU games associations – are scrambling to find substitute means to continue transatlantic data transfers while remaining in compliance with EU privacy law–many calling on policymakers to find a solution before “Europe’s €21bn-strong” games industry takes too big of a hit. 

A Short-Term Fix: SCCs

While obliterating the Privacy Shield, the CJEU did, however, uphold the EU’s “standard contractual clauses” (SCCs) as a means to facilitate companies’ transatlantic personal data transfers. 

These SCCs are model contract terms and conditions drafted by the European Commission in an effort to protect personal data leaving the EEA and going to areas that do not provide the same level of protection guaranteed by the GDPR (i.e. the US) for data subjects.  When completely adopted (unaltered) into a contract, these SCCs safeguard international personal data transfers and put the transferring companies in compliance with GDPR. 

Data giants, like Facebook and Microsoft, have long used SCCs as legal devices to facilitate overseas transfers. The CJEU determined those mechanisms were fine because EU regulators could also invalidate them at any time if a company did not comply with the terms of the SCC. 

That being said, if a company is transferring data from the EU under an SCC, that company must verify the level of protection in the country the data is going to. Additionally, that company must report any issues that arise from the transfer to the exporting entity – which makes the SCCs only a short-term fix for the thousands of businesses that have been relying on the Privacy Shield. 

Long-Term Solutions?

Aside from new federal US data privacy legislation (which is highly unlikely this year), US businesses engaged in these types of data transfers will need to alter existing systems and, in some cases, implement new ones, in order to maintain compliance with EU privacy law. These systems should include detailed assessments of data transfers outside the EEA (and the UK). 

Businesses also need to protect themselves with contract provisions that will allow them to modify or exit certain contracts that require data transfers should EU regulators cancel those types of transfers. 

While the U.S. Department of State announced its commitment to work with the EU on finding a new mechanism for transatlantic transfers, companies should be working with their corporate counsel on finding ways that best meet their needs to ensure these types of data transfers are uninterrupted and compliant with EU privacy law. 

For help navigating this area of data privacy, contact Odin Law & Media here.