EU Court of Justice: Privacy Shield abolished

July 16, 2020 represents an historic date for trade relations between Europe and the United States, deeply marked by the fall of the “Privacy Shield”, the agreement adopted in 2016 by the European Commission to regulate the transfer of personal data of EU citizens overseas and now effectively deleted by the Court of Justice.

What exactly was the Privacy Shield and what will be the real consequences for businesses?

The 2016 agreement and the ECJ’s ruling of 16 July

With the establishment of the Privacy Shield, the European Commission tried to eliminate the critical aspects of Safe Harbour, the previous 2000 agreement under which US companies were allowed to process the personal data of European users solely by setting up adequate levels of protection in accordance with European privacy law.

However, this did not provide enough requirements to ensure the protection of the personal data of European citizens and, given the obvious inequality between the protection mechanisms adopted by the United States compared to the standards in force in the EU, in 2015 the ECJ declared its invalidity.

With Privacy Shield, the Commission has tried to reduce cases in which US companies could have given European citizen data to third parties by establishing tighter controls by the US Department of Commerce, the latter charged with preparing a list of American companies “compliant” with the new agreement.
However, the most controversial aspect of the previous decision, namely the possibility that US government authorities could exploit the data of European citizens, was not considered at all.

On the contrary, the ability to ask American companies or organizations to allow access to government data on cross-border servers was established in the Clarifying Lawful Overseas Use of Data (CLOUD) Act 2018, which in fact represents a heavy limitation of the already weak prerogatives of the Privacy Shield.

On the basis of these reasons, the ECJ therefore rejected the 2016 decision and, therefore, Europe and the United States will have to return to the table to renegotiate an agreement that consider what was expressed by the judgment of 16 July.

The reflections of the fall of the Privacy Shield on companies

Although extremely disruptive, the ECJ’s ruling makes several alternatives to the privacy shield of 2016, including the so-called “standard transfer clauses”, which remained valid even after the arrival of the GDPR (and referred to article 46, Paragraph 2, lett. c).
They are based on the equal duty of control imposed on exporters and recipients of data flows to check in advance whether appropriate protection mechanisms have been put in place by the third country; They also provide for the commitment on the recipient to inform the exporter if it is impossible to comply with the content of the clauses, suspending the transfer and possibly withdrawing from the contract concluded.

The GDPR also provides for further hypotheses in which the transfer of data to a non-EU country can be considered legitimate, when for example this is based on the so-called corporate rules (building corporate rules), when the treatment is regulated by subscription to codes of conduct or, again, suitable certification mechanisms prepared by national authorities are in place.

With this in mind, it remains to understand what the next move will be by the US Government (which has heavily criticized the ruling) especially in view of the enormous economic impact that this decision will have on the budgets of those companies that base their business on the marketing of user data.

What is sure is that, in this period of transition, companies will have to reasonably comply with the rules imposed by the GDPR, especially considering the heavy penalties imposed by this. First of all, it will be necessary to verify the role played by the providers of the services subject to data transfer and to update the respective information on the treatment accordingly: it will be up to those concerned to decide whether, in the absence of adequate protection mechanisms, they will take the risk of transferring their data abroad (where, it is always good to say, the prerogatives of GDPR do not apply).