The Fall Of The Privacy Shield — S.T.O.P. - The Surveillance Technology Oversight Project

On July 16th, 2020, the Court of Justice of the European Union (CJEU) issued a landmark ruling against Privacy Shield, a European Commission / United States agreed on the transfer of commercial data. The CJEU found that Privacy Shield failed to guarantee Europeans’ privacy, as US privacy protections fall short of those required under EU law. The ruling potentially outlaws any transfer of personal data from the EU to the United States. Absent new American privacy laws, we risk being shut out of global trade, making it illegal for American firms to provide software and services to EU residents.

Privacy Shield was adopted by the European Commission in 2016 as a replacement for the previously invalidated International Safe Harbor Privacy Principles. Privacy Shield aimed to protect European data storage in the U.S., providing safeguards equivalent to those operatives in the EU (i.e., the GDPR). First, it imposed stronger obligations on companies handling Europeans’ personal data. Companies had to publish within their privacy policy the right of data subjects to access data. Data subjects were also granted first-hand knowledge as to whether an organization possessed data about them. Privacy Shield also imposed more robust enforcement, requiring the Department of Commerce to monitor that companies publish their commitments in this regard. Indeed, the US Department of Commerce was required to hold periodic compliance reviews and act as a liaison with European Data Protection Authorities. On top of this, organizations had to provide independent recourse mechanisms for free and accept binding arbitration. Second, the US agreed to limit law enforcement and national security agencies’ access to EU residents’ data, promising “clear limitations, safeguards and oversight mechanisms”. Finally, Privacy Shield provided for individual redress through an Ombudsman mechanism.

In 2015, in the wake of the annulment of the International Safe Harbor Privacy Principles, Max Schrems (an Austrian privacy advocate) brought a series of complaints, alleging that US national security laws failed to protect EU citizens from government surveillance. In invalidating Privacy Shield, the CJEU cited the unenforceability of Privacy Shield under domestic American law as well as the lack of limitations on American surveillance activity. Furthermore, the CJEU noted that American surveillance activity is overly broad, going beyond the level of data collection that is actually needed.

In the immediate aftermath of the decision, companies that relied on Privacy Shield are left in a lurch. At a minimum, firms must re-evaluate their data privacy standards, potentially introducing new privacy mechanisms or ceasing work in the EU altogether.

At this point, it is clear that past transatlantic data protection agreements have been inadequate, failing to provide parity to data protection in the EU. While the immediate ramifications are unclear, this decision potentially puts the US at risk from being walled off from customers across Europe. In this way, widespread surveillance is not just a direct attack on American values and the Constitution, it’s a direct threat to the future of our tech sector. US businesses risk being shut out of the EU market, with huge risks to future growth. As Max Schrems stated, “It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a role in the EU market”.