Thousands of U.S. companies have to rethink how they move data from the European Union after the bloc’s top court Thursday invalidated an information-transfer pact known as the EU-U.S. Privacy Shield.
The Court of Justice of the European Union’s decision forces companies to turn to alternative data-transfer mechanisms known as standard contractual clauses or binding corporate rules to send data across the Atlantic. The court let contractual clauses stand with some caveats.
There are “loads of companies that are going to need to pause and ask ‘Holey moley, how are we going to do this now?’” said Rafi Azim-Khan, leader of Pillsbury Winthrop Shaw Pittman LLP’s privacy and cybersecurity practice. Companies “will have to think what is the legal basis for what we do with our day to day stuff.”
The decision could rattle what the U.S. Commerce Department calls a $7.1 trillion transatlantic economic market that U.S. companies—including
Companies that have participated in the Privacy Shield program will have to spend time and money to update privacy polices to show they no longer rely on it, attorneys said.
“Fortunately, there are workarounds to maintain data flows to the U.S., which include the Standard Contractual Clauses,” said Stewart Room, global head of data protection and cybersecurity at DWF LLP. “However, businesses will be asking themselves, ‘What is next?’”
Companies can continue to rely on the Privacy Shield for now, including for processing self-certifications and updating the program’s list, the Commerce Department said in a statement. Business got a similar window to transfer their data after the Privacy Shield’s predecessor, the U.S.-EU Safe Harbor agreement, was invalidated in 2015.
Commerce Secretary Wilbur Ross said it’s critical that companies, including the more than 5,300 Privacy Shield participants, transfer data “without interruption,” consistent with invalidated pact’s protections.
A State Department spokesman didn’t comment beyond Ross’ statement. The Federal Trade Commission, which enforces the Privacy Shield, didn’t immediately comment.
The decision could have even wider ramifications for international data transfers beyond the Privacy Shield invalidation because of concerns over U.S. Surveillance activities and legal remedies, attorneys and former officials said.
The EU court decision requires regulators to bar data transfers—even using standard contractual clauses—to a third countries where privacy protections fall short of EU law, said Peter Swire, senior counsel in Alston & Bird’s privacy & data security practice.
The decision “casts a shadow” over clauses, said Caitlin Fennessy, former Privacy Shield director at Commerce and now research director at the International Association of Privacy Professionals. Companies will need “a costly, complex analysis of the sufficiency in protections of data provided by countries everywhere,” she said.
The court’s ruling may restrict data from reaching the U.S., said Andrew Baer, chair of Cozen O’Connor’s technology, privacy, and data security practice.
“There needs to be a case-by-case analysis for data transfers to the U.S.,” Baer said. “Certain types of data that is subject to systemic monitoring by the U.S., including social media and communications data,” may face restrictions.
Banks couldn’t sign up for Privacy Shield because they aren’t subject to FTC jurisdiction, but they also could be affected by the court decision, Fennessy said
“If they are using standard contracts to transfer data out of the EU, they, like all other such companies, will need to do a careful assessment of the protections governing such transfers to determine if they meet EU standards,” she said.
Business and trade group reactions were mixed, but some expressed confidence they could continue transferring data.
“The good news” is clauses remain valid, said Victoria Espinel, CEO and president of BSA | The Software Alliance. “But today’s Privacy Shield decision will create challenges for more than 5,300 businesses,” particularly because data transfers are crucial to economic recovery from COVID-19, she said.
Julie Brill, Microsoft’s chief privacy officer, stressed in a blog post that clauses remain valid despite the Privacy Shield’s invalidation. “Our commercial customers are already protected” under the clauses, she said.
Software vendor Workday said the decision won’t stop their data from moving. “Workday employs other valid data transfer mechanisms not affected by today’s ruling,” said Barbara Cosgrove, the company’s chief privacy officer.
Companies that don’t update their privacy polices risk Federal Trade Commission enforcement for not living up to privacy promises, attorneys said. Businesses may even want to consider keeping their European data within the bloc.
“Some companies will reassess whether they will process some data in Europe,” Azim-Khan said.
Keeping data in Europe, however, risks that the bloc is “going to turn itself into an information island,” said Miriam Wugmeister, co-chair of Morrison & Foerster’s global privacy and data security group.
Some companies will seek a government solution to the data transfer turmoil, attorneys and trade groups said.
“We urge the Trump Administration and our European partners to closely examine the ruling and swiftly negotiate a new framework to support those companies that rely on Privacy Shield for transatlantic data flows,” said Myron Brillian, executive vice president at the U.S. Chamber of Commerce.
The decision could renew U.S. congressional talks over a federal comprehensive privacy law, attorneys and advocates said.
“This ruling makes clear that no international agreement can adequately protect people’s privacy from the United States’ current mass surveillance programs and practices,” said Ashley Gorski, senior staff attorney with the ACLU’s National Security Project. “U.S. surveillance violates fundamental privacy rights and continues to be a massive financial liability for U.S. companies trying to compete in a global market.”