Court decision triggers major changes for EU–US data transfers

On July 16, the Court of Justice of the European Union (CJEU) released a decision with major implications for the top two legal mechanisms that allow for the transfer of personal data from the European Union to the United States. The Privacy Shield agreement and standard contractual clauses (SCCs) are the two mechanisms, in practice, that middle market companies can leverage under the General Data Protection Regulation (GDPR). This decision raises the distinct possibility that companies will now need to start seriously considering keeping European personal data in Europe—because they will be unable to avail themselves of the mechanisms the GDPR provides for exporting EU personal data.

Under the GDPR, transfers of personal data out of the EU (whether from consumers, employees or business contacts) is only allowed, as a practical matter, if one of two mechanisms is used: the country that the data is being transferred to has been deemed by the European Commission to provide “adequate” protection of personal data, or the companies engaged in such transfers have entered into legal contracts containing SCCs, published by the European Commission, which must be used without modification. A third mechanism, Binding Corporate Rules (BCRs) is, in practical terms, not an option except for large corporations.

The CJEU decision invalidates, with immediate effect, the EU–U.S. Privacy Shield agreement, which provided the adequacy mechanism for transfers of personal data from the EU to the U.S. Approximately 5,000 U.S. companies had self-certified under Privacy Shield and will need to switch to a different mechanism to legally transfer data from the EU to the U.S.

With regard to SCCs, the court’s decision is less categorical but no less impactful. It clarifies that, in the absence of an adequacy decision (which no longer exists in any form for the U.S.), it falls to companies that export personal data from the EU to determine, on a case-by-case basis, whether the country to which the data is being transferred provides adequate protection.

Given that the court struck down Privacy Shield precisely on the grounds that the U.S. does not provide such protection, it is difficult to see how companies could reach a different decision than the court. Standard contractual clauses may, therefore, also provide scant relief as a basis for the transfer of personal data from the EU to the U.S.

As the top court in the EU, there is no appeal possible for the CJEU decision.

Practical implications

This is a major decision with wide-ranging implications for any company that transfers personal data from the EU to the U.S. In practical terms, it means the following steps should be set in motion:

1. Do not panic. Both the European Commission and the U.S. Department of Commerce have reacted to the invalidation of Privacy Shield with statements confirming that they will work collaboratively to find a solution.
2. If your company relies on Privacy Shield, start evaluating a shift to SCCs as soon as possible. This is not a small undertaking; it affects each and every contract with every third-party your company works with that transfers personal data from the EU to the U.S.
3. If your company currently uses SCCs, start reviewing every contract and assess the likelihood that the adequacy of U.S. data protection laws will cause them to be challenged by the EU parties involved.
4. Prepare for more litigation. The court’s decision provides plenty of ammunition to consumers, consumer groups, employees and any other European data subjects to challenge the legitimacy of data transfers to the U.S.
5. Consider your options for segregating EU data in the EU. The decision makes it clear that it will be increasingly difficult, if not impossible, to continue transferring personal data from the EU to the U.S. While neither the GDPR nor the court’s decision technically forbid such transfers, this decision will make it much harder to justify an adequate legal basis for this.
6. Consider the implications for Brexit. As the United Kingdom prepares to exit the EU at the end of its transition period at year-end, transfers of data from the UK to the EU will fall under the same scrutiny. The European Commission has shown no inclination to fast-track an adequacy decision for the UK. Further difficulties should therefore also be expected for such transfers of personal data.

This is a far-reaching decision, which will require significant changes for U.S. companies. While quick action is not possible given the complexity of the matter at hand, it is important for companies to start assessing the impact and reviewing their options. An experienced advisor can help you successfully navigate the implications of this new decision and the developing regulatory guidance that will unfold over the next weeks and months.