EU-U.S. Data Transfer Mechanisms Legal Challenges

The EU-U.S. Privacy Shield legal challenges come despite receiving two successive annual approvals from the European Commission (EC) since its July 2016 adoption.

The Privacy Shield framework currently serves as an EU-to-U.S. personal data transfer mechanism for more than 4,700 U.S. organizations.

Separately, pre-approved standard contractual clauses (SCCs), the most recent version issued in 2010, are also recognized by the EC as valid transfer mechanisms to non-European Economic Area “third countries.”

SCCs Updates Ahead

On June 13th, the European Commissioner for Justice and Consumers confirmed in a speech that SCCs are being updated for the post-GDPR world:

“We are already working to modernize standard contractual clauses. This will make it easier for companies to share data when they contract processing services, within the EU or abroad.”

This update to SCCs is concurrent with a legal action challenging the validity of SCCs as a transfer mechanism to the United States in a case brought against Facebook Ireland by Austrian privacy advocate Maximillian Schrems.

The case, dubbed Schrems II, following the 2015 decision of the European Court of Justice (ECJ), resulted in the invalidation of the EU-U.S. Safe Harbor Agreement because it did not provide EU citizens with protections “essentially equivalent” to that of the EU.

Due to U.S. intelligence agencies’ surveillance practices, and thus that any EU-to-U.S. personal data transfers made on that basis were not legal. Schrems II proceeds to oral arguments before the ECJ on July 9, 2019.

In this case, the Irish High Court has referred eleven questions to the ECJ relating to whether entering into SCCs, by itself, provides an adequate level of data protection for EU personal data transferred to the U.S.

The Irish Supreme Court recently dismissed Facebook’s appeal of the Irish High Court’s decision to refer these items to the ECJ.

EU-U.S. Privacy Shield Legal Challenge

Meanwhile, the EU-U.S. Privacy Shield Framework is similarly undergoing a legal challenge on the grounds that the United States does not adequately protect EU citizens’ personal data by U.S. intelligence agencies’ activities.

The case, brought by three French non-governmental organizations, seeks to revoke Privacy Shield as a valid EU-to-U.S. personal data transfer mechanism as occurred with Safe Harbor in Schrems I.

On July 1-2, the NGOs will argue before the General Court of the EU that Privacy Shield is not “essentially equivalent” to EU data protection law, even if it is more protective than Safe Harbor was.

The losing party could then appeal to the ECJ for a final determination.

Read: U.S. Senate Hearing on the Invalidation of Privacy Shield and the Future of Transatlantic Data Flows

When Will a Legal Decision be Made?

Decisions in both matters are expected within a year or less. It is unclear what effect, if any, the entry into force of new European Commission-approved SCCs would have on the ripeness of the case if introduced prior to the ECJ’s Schrems II ruling.

Moreover, in the event the ECJ were to eventually invalidate both SCCs and Privacy Shield–the latter of which was specifically drafted to withstand judicial scrutiny—it is uncertain what course of action most organizations would undertake to effectuate their data transfers.

Binding corporate rules (BCRs) and reliance on derogations such as explicit consent for cross-border data transfers are expensive, time-consuming, or disfavored options for many businesses.

It remains to be seen what effect on digital commerce such legal actions would have in practice (including concerning data transfers to the U.K., in the event of an eventual “Brexit”).

TrustArc will continue to follow developments closely and will provide regular updates.