IAA partnered with the Global Advertising Lawyers Association (GALA) to host the virtual book launch of the first-ever "Global Privacy Laws Handbook" on July 8th. The event was attended by more than 50 countries across the globe who are affiliated with IAA. You can view the entire session by clicking on the link at the bottom of this article.
Privacy and data security continue to make headlines and this time the waves are coming from the European Court of Justice (i.e., the highest court of the European Union). Without comprehensive U.S. Federal Privacy Legislation, it is little to no surprise (albeit disappointing) that the European Court of Justice invalidated the EU-U.S. Privacy Shield Framework because it failed to impose appropriate safeguards with respect to the transfer of personal data located in Europe to the United States.
What is Privacy Shield and what happened to change it?
The EU-U.S. Privacy Shield Framework as stated on the official government website, “was designed by the U.S. Department of Commerce and the European Commission…to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union…to the United States in support of transatlantic commerce.”
The European Commission deemed Privacy Shield an acceptable transfer mechanism on July 12, 2016, and it quickly became a replacement for the prior Safe Harbor Framework, which the Court struck down in 2015. The majority of US organizations transferring personal data from the EU to the U.S. over the last several years have taken advantage of Privacy Shield self-certification and/or Standard Contractual Clauses.
Four years later on July 16, 2020, the Court invalidated the European Commission’s decision above to validate Privacy Shield as an appropriate transfer mechanism. This decision is effective immediately. Entities that rely on Privacy Shield as a data transfer mechanism in the European Union will need to transition to a different transfer mechanism.
What was the Court’s Finding?
The Court concluded Privacy Shield does not maintain a high level of protection that is equivalent to protection afforded to personal data in the EU. As a result, Privacy Shield cannot provide appropriate safeguards and is an invalid mechanism for transferring personal data of data subjects in Europe to a U.S. location.
The ruling was based on the Court’s evaluation of (i) the potential for U.S. government access to transferred personal data as permitted under various U.S. laws, (ii) the lack of enforceable data subject rights, and (iii) the lack of adequate remedies for data subjects.
In addition, the Court determined, Privacy Shield’s failure to prevent interference from U.S. intelligence authorities impedes the data subject’s ability to exercise their rights afforded under European data protection laws. Again, because U.S. authorities are not bound by Privacy Shield, government agencies like the FBI and CIA can send data requests on certain individuals to electronic communications service providers (e.g., Facebook) under U.S. law. These providers must comply and are not always permitted to disclose their compliance with such requests. Further, the U.S. government entity is generally not required to provide notice to the data subject that it has issued a request for their data from a provider.
Lastly, the Court deemed inadequate the remedies available to data subjects who believe their information was illegally transferred, processed, or shared. The Court found that Privacy Shield and U.S. laws limit a data subject’s rights to those that are contractual and only against the exporter and importer of the personal data. According to the Court, this falls substantially below the remedies afforded to data subjects under European data protection laws.
Given the analysis above, the Court determined that, because Privacy Shield cannot prevent interference from U.S. government agencies and surveillance programs at a level that is equivalent to the rights and remedies afforded data subject under European data protection laws, Privacy Shield is an invalid transfer mechanism in the European Union.
When and how does this impact Companies that rely on Privacy Shield?
This decision is effective immediately and companies can no longer rely on Privacy Shield as a transfer mechanism. The Court did validate Standard Contractual Clauses so this will remain an approved transfer mechanism for the time-being. Another option is to use the Binding Corporate Rule. Of course, U.S. organizations currently relying on Privacy Shield will also want to update online and internal privacy policies and agreements that reference Privacy Shield.
We want to thank Shelly Berry, a member of GALA (Global Advertising Lawyers Alliance), who is IAA’s Institutional member and our resource partner in this space.
Here is a collection of views by experts from the IAA community on the topic of Data Privacy in the digital space
Brad Weltman, Director of Privacy Policy Engagement, Facebook
“COVID-19 demonstrated the important, at times life-saving value of online tools and data. As we continue to move more of our work, social lives, learning and healthcare online, we’ll need to modernize the rules of the road and prioritize aspects like transparency and control, so that people and businesses can take full advantage of online tools and services.”
Frith Tweedie, Digital Law Leader, EY Law Limited
“As consumer and regulator expectations around privacy continue to grow, surveillance concerns associated with global responses to COVID-19 may well prompt further regulatory change. Equally, however, we may see some countries change their privacy laws to facilitate things like contact tracing. The big question will be whether any stronger powers granted in the context of COVID-19 will be pulled back once the dangers of the pandemic subside. Or will those extended surveillance powers become part of the “new normal”?