Court of Justice Strikes Down Privacy Shield: U.S. Surveillance Laws Are Not “Adequate” Under EU Law

https://www.flickr.com/photos/128884785@N06/16216011058/in/photolist-qGXi8y-5eYK2m-5eUnuM-5eUn5H-5xd8qi-2h5YPCR-391TRa-bCZgen-N1zQw3-2if4xVV-6mKV4Q-2j7YVht-5eUnE2-bGpMh8-26ZNPJz-CgZ7tz-Ch1xv6-C7pnsw-2jsaLP9-3fc7qa-2hpSCqD-2iwZLSi-2js6qYm-9FQyxB-2ity5TK-2js6xTo-2jnywm9-cdYAMw-2jqJUdV-bCgt35-5kyE3E-2bM6tP-bCgsH9-fMPy9T-gm8WcD-6zVeqF-fPQRQ-phYiw7-qofyKZ-H43vF2-pk1qSH-2jqJS1d-fhNcJN-9neBqv-9nhCiu-oZQD6i-p1NUjH-ifv9A2-oZQBbr-9neAQg

By: Janice Lopez

On July 16, 2020, the $7.1 trillion economic relationship between the United States and the European Union (EU) was jeopardized by the Court of Justice’s decision that U.S. data protection laws do not afford EU citizens “adequate” protection when their data enters U.S. territory.[1] The transfer of personal data from the EU to U.S. territory must comply with EU data protection law, which is codified in the General Data Protection Regulation (GDPR).[2] The GDPR requires businesses to provide “adequate” privacy protection for the transfer of data from the EU, where adequacy is determined by the European Commission.[3] The U.S. Department of Commerce, together with the European Commission, developed the EU-U.S. Privacy Shield, which is a mechanism that enabled companies to comply with data protection requirements when transferring personal data.[4] In 2016, the European Commission determined that through the EU-U.S. Privacy Shield, the United States provided an adequate level of protection for personal data transferred from the EU.[5]

In July 2020, the Court of Justice invalidated the Commission’s decision and found instead that U.S. law is not adequate because it does not provide EU citizens a level of protection that is “essentially equivalent” to that which is guaranteed in the EU.[6] Companies like Google, Facebook, Twitter and Amazon are all listed as participants of the EU-U.S. Privacy Shield.[7] In late August, Ireland’s Data Protection Commission sent Facebook a preliminary order to suspend data transfers from EU users to the United States.[8] If Facebook fails to comply with the order, the Commission can fine Facebook up to 4% of its annual revenue.[9]

The United States has maintained that its data access laws “meet, and in most cases exceed” the access rules in Europe.[10] This position implies an unwillingness to change the very surveillance laws that caused the invalidation of the Privacy Shield, despite reform becoming both a human rights and economic imperative. In assessing U.S. law, the Court of Justice found that EU citizens do not have the same remedies as U.S. citizens because the Fourth Amendment does not apply to EU citizens.[11] EU citizens therefore have unreasonable difficulty establishing standing to bring a case. The limitations on EU citizens’ remedies are contrary, and therefore not “essentially equivalent,” to Article 47 of the EU Charter of Fundamental Rights, which guarantees the right to an effective remedy and a fair trial.[12]

U.S. surveillance regimes like PRISM and UPSTREAM, which Section 702 of the Foreign Intelligence Surveillance Act permits, concerned the Court because they did not limit what was strictly necessary for the purposes of foreign intelligence; there was no limitation on the scope of surveillance that could be imposed on foreign nationals.[13] In contrast, Article 6 of the GDPR provides only six defined lawful bases for processing personal data — consent, contract, legal obligation, the protection of vital interests, the public interest, or a third party’s legitimate interests — unless the third party’s interests are superseded by fundamental rights.[14] International law also subjects violations of citizens’ rights to privacy to the jurisdiction of the European Court of Human Rights, which examines the legality, legitimacy, and necessity of alleged violations.[15]

The Court of Justice’s decision creates legal uncertainty for several thousand businesses in Europe and in the United States that believed their data transfer mechanisms were compliant with the GDPR. Looking ahead, companies will now have to find alternative methods of legally transferring EU citizens’ personal data to U.S. territory.

[1] U.S. Secretary of Commerce Wilbur Ross Statement on Schrems II Ruling and the Importance of EU-U.S. Data Flows, U.S. Embassy in Luxembourg (July 16, 2020), https://lu.usembassy.gov/u-s-secretary-of-commerce-wilbur-ross-statement-on-schrems-ii-ruling-and-the-importance-of-eu-u-s-data-flows/.

[2] Cameron Abbott et al., EU Court of Justice Invalidates Privacy Shield, Nat’l L. Rev. (July 17, 2020), https://www.natlawreview.com/article/eu-court-justice-invalidates-privacy-shield.

[3] Commission Regulation 2019/679, art. 45, 2016 O.J. (L 119) 61 (“A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country…ensures an adequate level of protection.”).

[4] Privacy Shield Overview, Privacy Shield Framework, https://www.privacyshield.gov/Program-Overview (last visited Sept. 13, 2020).

[5] Commission Implementing Decision 2016/1250, 2016 O.J. (L 207) 1 (“[T]he Commission concludes that the United States ensures an adequate level of protection for personal data transferred under the EU-U.S. Privacy Shield….”).

[6] Case C-311/18, Data Protection Comm’r v. Facebook Ireland, Ltd., ECLI:EU:C:2020:559, ¶ 42 (July 16, 2020) (“Commission Implementing Decision (EU) 2016/1250 of 12 July 2016…on the adequacy of the protection provided by the EU-US Privacy Shield is invalid.”).

[7] Privacy Shield List, Privacy Shield Framework, https://www.privacyshield.gov/participant_search (last visited Sept. 13, 2020).

[8] Sam Schechner & Emily Glazer, Ireland to Order Facebook to Stop Sending User Data to U.S., Wall St. J. (Sept. 13, 2020), https://www.wsj.com/articles/ireland-to-order-facebook-to-stop-sending-user-data-to-u-s-11599671980.

[9] Id.

[10] U.S. Secretary of Commerce Wilbur Ross Statement on Schrems II Ruling and the Importance of EU-U.S. Data Flows, U.S. Embassy in Luxembourg (July 16, 2020), https://lu.usembassy.gov/u-s-secretary-of-commerce-wilbur-ross-statement-on-schrems-ii-ruling-and-the-importance-of-eu-u-s-data-flows/.

[11] Case C-311/18, Data Protection Comm’r v. Facebook Ireland, Ltd., ECLI:EU:C:2020:559, ¶ 65 (July 16, 2020).

[12] Id.

[13] Id.

[14] Commission Regulation 2019/679, art. 6, 2016 O.J. (L 119) 61.

[15] Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU, Eur. Union Agency For Fundamental Rights (2017), https://fra.europa.eu/sites/default/files/fra_uploads/fra-2017-surveillance-intelligence-services-vol-2_en.pdf.