21 July 2020
In a strongly worded decision, the European Court of Justice (CJEU) has struck down the Privacy Shield data transfer arrangement between the EU and the US (here).
What is the Privacy Shield?
The Privacy Shield was put in place in 2016 to allow companies to transfer the personal data of EU citizens to the US without breaching the EU’s strict privacy rules (including the General Data Protection Regulation or GDPR). These rules restrict the transfer of personal data from the EU to a country which does not provide privacy safeguards which are equivalent to the EU. The Privacy Shield set up a system which allowed companies lawfully to make transfers of data from the EU to the US, even though US privacy legislation falls below the EU equivalency threshold. The Privacy Shield replaced the earlier Safe Harbor arrangement which was itself quashed by the CJEU in October 2015.
Has Privacy Shield worked?
The Privacy Shield arrangement was welcomed by some business groups and, since 2016, more than 5,000 organisations have signed up to the Privacy Shield principles, including agreeing to oversight by US regulators. But the arrangement was immediately the focus of European privacy pressure groups who argued that it failed to provide adequate protection for the personal data of EU citizens, in particular from US authorities. As a result, there was always a risk that the Privacy Shield would suffer the same fate as Safe Harbor.
The case against Privacy Shield
The question in the recent case before the CJEU was essentially whether a transfer of data from the EU to the US under the Privacy Shield gave EU citizens protection equivalent to that provided under EU law. The CJEU also considered the validity of Standard Contractual Clauses (SCCs). SCCs are standard sets of contractual terms, drafted by the European Commission, which parties can use when transferring personal data outside the EU to a third country which does not satisfy the EU data protection equivalency requirement. The argument against the use of the SCCs when transferring data to the US (in this instance by Facebook) was that the clauses do not provide adequate protection against access by US public authorities to the data.
The CJEU’s decision - Privacy Shield
The CJEU accepted the argument that the Privacy Shield did not set appropriate limits on access to individuals' data by the US authorities. The court found that under the Privacy Shield, the rights of US national security, public interest and law enforcement agencies took precedence (‘primacy’) over the privacy of individuals. It held that this was not proportionate as the right of the US authorities to access the data was not limited to what was ‘strictly necessary’. As a result, the court held that the Privacy Shield does not provide individuals with equivalent protections to those guaranteed under GDPR and EU law.
The CJEU’s decision - SCCs
On the question of the validity of SCCs, the CJEU held that it was not crucial that the SCCs do not bind the authorities in the third country to comply with the clauses. The obligation lies with the data exporter and the data recipient in the third country to include mechanisms in the contract to ensure compliance. If the protection clauses cannot be complied with, the transfer of the data must be suspended.
What do companies do now?
The collapse of Privacy Shield is a real concern for companies and other organisations which rely on the arrangement to transfer data between the EU and the US. Unless and until another agreement is reached between the EU and the US, companies will have to fall back on alternative mechanisms such as the SCCs or using regional data processing for EU employees.
Tapestry comment
It is difficult to see how this battle is going reach a satisfactory conclusion. Despite some US states putting in place stricter privacy legislation, there does not seem to be any appetite at a national level for data privacy rules of the standard in force in the EU under GDPR.
For companies operating share plans across the Atlantic, there is an obvious need to easily and lawfully transfer data on EU-based participants to the US. Many companies continue to rely on SCCs although the CJEU did stress that failure to satisfy the principles behind the SCCs could result in the clauses also failing. It will not be sufficient to simply insert SCCs in a contract - companies will be expected to do a proper risk assessment to ensure compliance with both the spirit and the letter of the clauses.
Data protection is not a share plan specific issue, so companies and administrators transferring date from the EU to the US should discuss with the people who manage data privacy compliance in their organisations to check what approach they are taking with regards to data transfer arrangements for the business as a whole.
If you need any advice on this or how data protection rules impact your share plans, please contact us.
Carla Walsham & Sharon Thwaites
