Privacy Shield is gone... what's next
On July 16, 2020, the European Court of Justice (ECJ) invalidated Privacy Shield in Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (“Schrems II”). Privacy Shield was an approved mechanism to transfer personal data from the EU to the United States. The Court however found Privacy Shield failed to consider adequately U.S. laws authorizing government authorities to access data transferred from the EU to the United States, and that the ombudsperson mechanism does not provide effective administrative or judicial redress for the data subjects concerned. Therefore, the ECJ found that Privacy Shield did not provide protections that are “essentially equivalent” to those set out in EU law, and it invalidated with immediate effect Privacy Shield.
Over 5,000 US businesses were using Privacy Shield to transfer personal data between the EU and US. This ruling puts a substantial portion of commerce at risk.
The Court also found that the Standard Contractual Clauses were valid in the abstract. But, it put the onus on the entities relying on the SCCs “to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses.” (para. 134). This is a tremendous burden on data exporters to determine whether a third-country's legal system offers adequate protections and creates numerous legal risks that a company must answer before being comfortable with using SCCs, and to determine what "additional safeguards" may be needed.
The Irish Data Protection Commissioner now will have to examine whether Facebook's use of SCCs to transfer data to the US is lawful. Given that the issue with Privacy Shield was that US laws were too permissive and that there is no way for EU citizens to challenge the US government, it is doubtful that SCCs as applied to US transfers will be found valid. Regardless, I suspect that any decision by the Irish DPC will be appealed to the ECJ.
Going forward, I do not believe a replacement law for Privacy Shield will come soon because the US would have to put limits on access to personal data from Europeans, and any law would have to grant data subjects the right to challenge the US government in court.
[update] On July 17, 2020, the Berlin Data Protection Authority called on Berlin based data controllers to stop any transfers of data under the SCCs until the analysis required by CJEU has been completed and any additional safeguards have been put in place (see link). Some potential ways to mitigate the issues with the SCCs are to encrypt the personal data being sent to the US and keep the key in Europe; pseudonymize the data and keep the key in Europe; minimize the personal data being sent to the US such that if it was taken to the US there is little risk; use a regional data center and leave the personal data in Europe and process it in Europe;