The end of Privacy Shield: what next?

A European Court of Justice (ECJ) ruling invalidating the Privacy Shield agreement leaves the future of EU-US data transfers up in the air.

Late last week, the ECJ concluded that Privacy Shield failed to protect the privacy of people whose data was being transferred to the US. US surveillance programs, it said, were not limited to what was strictly necessary, and data subjects didn't have legal recourse in the US in the event of complaints.

The ruling's been welcomed by privacy campaigners. "This should be a wake-up call to US policy-makers and tech companies," says executive director of Article 19 Quinn McKew. 

"The lack of data protection and pervasive mass surveillance that has been normalized in the US needs urgent reform if the country is going to remain competitive globally and truly defend privacy and free expression."  

However, the ruling means that companies that have relied on Privacy Shield to legitimize their transatlantic data transfers can no longer do so. They will be able to rely on Standards Contractual Clauses (SSCs) - but with extra safeguards that may not always be possible.

"Parties using Standard Contractual Clauses to transfer personal data from the EEA to countries outside must not do so if, in their assessment, the recipient country doesn’t provide an adequate level of protection," explains Adam Rose, a partner at law firm Mishcon de Reya. 

"There must now be serious questions as to whether any transfers to the US can be valid."

Other legal mechanisms

Where companies are transferring data to the US within their own organization, they can use Binding Corporate Rules (BCRs) - but there are problems. 

"BCRs are complex to set up, especially in a joint venture or fractional ownership environment, and require entities to accept liability for litigation by data subjects," says Ben Rapp, founder and principal of data privacy consultancy Securys. 

"Critically, BCRs have to be formally approved by the organization’s local EU regulator, which may be difficult to achieve in this new context and will certainly introduce significant delay."

And while Article 49 derogations can cover commercial dealings, these are not to be used for repetitive transfers, though they could facilitate occasional sales from the US to the EU.

So far, there's not been much response from the US, apart from a rather pointed statement from the Secretary of Commerce Wilbur Ross.

"While the Department of Commerce is deeply disappointed that the court appears to have invalidated the European Commission’s adequacy decision underlying the EU-US Privacy Shield, we are still studying the decision to fully understand its practical impacts," he says.

"We have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1-trillion Transatlantic economic relationship that is so vital to our respective citizens, companies, and governments."

Presumably, some sort of new deal will be thrashed out - though it's hard to see how it can be done in any reasonable timeframe.

As Rapp points out, "It's bound to take some time, since cobbling Privacy Shield quickly was the mistake that led to today's decision, and in the meantime, existing data flows to the US are likely to be unlawful in many cases."