The European Court of Justice (CJEU) Just Invalidated Privacy Shield
Understand the key CJEU court cases and the broader legal, political, and historical context behind the ruling
In this post, I’d like to give some historical and political context to the recent ruling by the CJEU which invalidated the Privacy Shield program between the EU and the US. This deeper contextual understanding can help you to get a feel for the distinct cultural differences between Europe and the US on technology and privacy. I’ll close the article out by giving you some ideas about what to expect going forward in the absence of any transatlantic regulatory framework. And if you’d like more references or details, you can find a much more extensive discussion of these issues on my homepage.
In case you don’t know what Privacy Shield is, (or you thought it was something out of World of Warcraft) the Privacy Shield program provided the legal basis over the past four years (2016–2020) for personal data transfers from EU-residing data subjects to US-based data processors and controllers.
Why is/was Privacy Shield important?
Well, because international personal data flows are a crucial aspect of the global digital economy. Major multinational corporations, such as Apple, Facebook and Amazon, need to send personal data about their users, clients, suppliers, and employees all over the world. According to US Secretary of Commerce, Wilbur Ross, the economic value of the EU-US relationship is over $7 trillion USD.
So decisions like the CJEU’s recent one are important because they can have a huge impact on the costs of doing business around the globe. Varying standards for data protection around the globe lead to legal uncertainty, which manifests itself in increased spending on legal counsel, contracts, and updates to massive international databases and information systems, for instance.
Why do the US and the EU even need a special legal agreement?
In short, because data privacy regulations in the EU and the US have followed two different historical and philosophical paths.
The path taken by the US’s main enforcement agency, the Federal Trade Commission (FTC), favors self-regulation, varies according to industry sector, and can be described as “light touch.” Regulators in the USA prefer to let corporations police themselves. After all, the court system exists for the rare instances where self-regulation fails. Or at least that’s what proponents of the American approach to data privacy (known as data protection in the EU) would say.
In contrast, the European approach is “top-down” and based on fundamental rights to privacy and the protection of personal data. We can already see a major difference with the American approach, which avoids discussion of federal rights of privacy or protection of personal data. We only need to remember the East-German Stasi and various state surveillance institutions in the former Soviet-bloc to understand why Europeans in general feel privacy protection is so important as to require it in the EU’s Charter of Fundamental Rights (CFR).
In short, you can think of the major difference between the two approaches to personal data processing as embodied by the preference for Opt-in (EU) versus Opt-out (USA). In the EU, you must explicitly opt-in to processing of your data; in the USA you must explicitly opt-out.
Now that we’ve briefly summarized the philosophical differences between the EU/US approaches to personal data processing, let’s move on to the predecessor of Privacy Shield, Safe Harbor (I know… it’s confusing). Bear with me here, I know it’s a lot of information, names, and dates — and acronyms.
Safe Harbor (RIP: 2000–2015)
The Safe Harbor (from 2000–2015) program was created to allow European personal data to be legally transferred to the US under the EU’s 1995 Data Protection Directive. Not familiar with the Directive? The 2018 GDPR is essentially the updated version of the 1995 Directive.
Anyway, Safe Harbor consisted of a set of seven privacy principles that enterprises voluntarily followed. Companies self-certified as following the principles — didn’t I tell you the USA loves the concept of self-regulation? Nevertheless, the Safe Harbor agreement, which had been in effect for nearly 15 years, was suddenly struck down by the CJEU and replaced by Privacy Shield in 2016. And as we saw yesterday, Privacy Shield was struck down in 2020.
The Basics of Safe Harbor
The Safe Harbor agreement was founded on a set of principles closely related to the OECD’s seven principles of protection of personal data, which also influenced the GDPR. By agreeing to participate in Safe Harbor, US corporations were essentially committing to follow privacy standards nearly equivalent to those in the GDPR. To be Safe Harbor-certified, US corporations had to promise to process European personal data according to the following principles:
- Notice: Individuals must be informed that their data is being collected and how it will be used. The organization must provide information about how individuals can contact the organization with any inquiries or complaints.
- Choice Individuals must have the option to opt out of the collection and forward transfer of the data to third parties.
- Onward Transfer: Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.
- Security: Reasonable efforts must be made to prevent loss of collected information.
- Data Integrity: Data must be relevant and reliable for the purpose it was collected.
- Access: Individuals must be able to access information held about them, and correct or delete it, if it is inaccurate.
- Enforcement: There must be effective means of enforcing these rules.
The European Commission and “Adequacy”
But why did the European Commission feel the need to create the Safe Harbor agreement in the first place? Well, according to the EU’s 1995 Directive, the European Commission can come to a decision as to whether a third country, such as the US, provides adequate “protection of the privacy and fundamental rights and freedoms of individuals,” which are embodied in the seven principles above.
In 2000, the European Commission viewed the US as meeting the minimum standards of personal data protection, provided that companies adhered to the Safe Harbor agreement.
Judgments of non-compliance were thus left in the hands of the very corporations that had economic incentives to use personal data to improve their products and services and serve more accurate ads, in the case of companies like Google and Facebook. It was also possible for companies to pay for third-party verification services if they chose not to re-certify annually. Additionally, participation in the regime was weak: after nearly four years, only 400 companies had registered with the US Department of Commerce, though by 2015 nearly 5,000 had joined. These problems at the outset foreshadow the eventual demise of the agreement 15 years later.
Invalidating Safe Harbor: Three Key CJEU Court Cases
In order to understand the creation and eventual invalidation of the Safe Harbor agreement between the EU and the US, we need to look at three key CJEU court cases. The first is Schrems (in 2015), the second is Digital Rights Ireland (in 2014), and the third is Google Spain (in 2014). We will see how Privacy Shield arose as a response to issues raised in these cases.
The Schrems Case (2015)
The Schrems case was the culmination of several other landmark “digital rights” cases that eventually led to the invalidation of Safe Harbor. Schrems broke the camel’s back, so to speak.
In 2013, the Austrian citizen Max Schrems made a complaint to the Irish Data Protection Commissioner in which it was claimed that Facebook-Ireland’s transfer of EU citizens’ personal data to the US violated EU law. At the time, these kinds of transfers were legally valid under the Safe Harbor agreement.
Essentially, the argument made by Schrems was that in light of Edward Snowden’s leaking of classified US government surveillance programs, “there was no meaningful protection in US law or practice” for personal data transferred to the US because US law enforcement could obtain access to personal data without a court order.
Initially, Schrems’ complaint was dismissed and thrown out by the Irish Data Protection Authority (DPA) because Schrems could not demonstrate that his personal data were actually affected. Yet, just one year later, the Irish High Court ruled differently and concluded that Schrems did in fact have legal standing under EU law, due primarily to the Digital Rights Ireland holding (see below). Roughly, this stated that it did not matter if the complainant had been personally affected in order to show that his right to respect for private life (Articles 7 & 8 of the EU’s Charter of Fundamental Rights) had been infringed.
The court also expressed concerns about US law enforcement surveillance and the lack of personal data protections in US law. In particular, the court noted that EU data subjects had no effective means of judicial review under Safe Harbor for privacy complaints. Ultimately, the court found that the “adequacy” of the protection given to personal data in the Safe Harbor agreement was not enough and declared it invalid in 2015.
The Digital Rights Ireland Case (2014)
In coming to its ruling in the Schrems case, the Irish High Court based its decision mostly on the CJEU’s judgment in Digital Rights Ireland, which invalidated the 2006 Data Retention Directive. This 2006 Directive modified the 1995 Directive and allowed for the general retention and collection of communications metadata for purposes of law enforcement in the EU.
According to legal scholar Nori Loideain, Digital Rights Ireland is highly significant because it “marked the first time that the CJEU has ever struck down an entire EU legal instrument due to its incompatibility with the EU Charter,” which had the practical legal effect of solidifying the influence of fundamental rights on EU legal decisions.
Loideain further says Digital Rights Ireland established that:
“strict legality, necessity, and proportionality standards must underpin the safeguarding of privacy and data protection rights.”
These concepts are important because they also play a major role in the principles underlying the GDPR. See our GDPR paper here for more info.
The Google-Spain Case (2014)
The third major case related to personal data privacy and protection came shortly after. Again, according to Loideain, this decision established that “EU citizens have a right to have links concerning them delisted from search engines that essentially encroach on their private lives and the protection of their personal data.”
This idea led to the now famous right to be forgotten that was added to the GDPR. In short, the Google-Spain case addressed two major issues of the digital age:
1) search engines like Google can act as a permanent store of an individual’s personal data, even when those data are incorrect or removed; 2) search engines like Google can have a big impact on one’s online and offline identity and reputation.
Nevertheless, the Google-Spain decision was hotly debated. Opponents of the decision argued that it limited free speech and access to information.
Safe Harbor is Reborn as Privacy Shield
The CJEU’s sudden invalidation of Safe Harbor in 2015 did not randomly happen out of the blue. After the Snowden leaks, European legislators were rightfully wary of both US governmental institutions and corporations. For instance, some European Parliament members alleged that Safe Harbor signees Microsoft and Google played a role in US government surveillance programs.
With a legal vacuum persisting for over one year, the new Privacy Shield agreement was released in February of 2016 and included revamped privacy principles found in Safe Harbor, plus additional principles such as legal recourse for European citizens. Legal redress or recourse effectively means that legal persons have access to courts, where they can petition for compensation against any “wrongs” done against them.
The Basics of Privacy Shield (RIP: 2016–2020)
Unlike Safe Harbor, Privacy Shield contained commitments from US national security officials that EU data subjects’ rights would be respected. As mentioned above, this included redress possibilities for EU citizens who believed their data to be compromised by US-based processing. It also meant an increase in the authority of the FTC to help monitor disputes.
Seen this way, the Privacy Shield framework may be considered something close to a “default hybrid” approach to data governance. In other words, by default, companies are largely left to self-regulate and self-certify adherence. However, EU Data Protection Authorities and the FTC could become involved if companies did not respond to complaints within a specified amount of time. As of 2018, there were about 3200 US companies participating in the agreement.
But even before yesterday’s invalidation of Privacy Shield, there were some residual worries about US surveillance activities and legal remedies for EU citizens. In fact, in 2016, the US Congress was led to pass the “Judicial Redress Act,” allowing EU citizens formal means of legal redress for privacy violations. The argument behind this was that it would increase European confidence in that Privacy Shield framework and US data protection laws. As we know now, this apparently wasn’t enough.
Ways Out: Standard Contractual Clauses and Binding Corporate Rules
Yesterday’s ruling by the CJEU effectively said that Privacy Shield “does not provide data subjects with any cause of action before a body which offers guarantees” at the level of EU law. This statement should be no surprise after you’ve seen a bit of the history of Safe Harbor. It too seemed doomed to fail. Yet another regulatory vacuum has been created.
On the positive side, the CJEU did affirm standard contractual clauses (known as SCCs) as a valid legal means of transfer. Global personal data flows will thus not completely dry up, but they will likely become more complicated and expensive until a new arrangement is found.
Unfortunately, standard contractual clauses have a host of problems and typically make sense only for basic, ad-hoc data transfers — multinationals would do best to avoid them if possible. In the meantime, if standard contractual clauses don’t cut it, what else can multinationals use to transfer personal data?
The GDPR introduced what it calls Binding Corporate Rules (BCRs). These “certified,” but self-developed rules make it easier for multinationals to transfer personal data internationally to countries without “adequate” data protection. This is an area of international law which is actively developing, as both Taiwan and South Korea have had talks with the EU about adapting their own national standards to reach the EU standard. Right now only about 13 countries including Israel, New Zealand, Argentina, Canada (only commercial firms) and Japan, have passed the adequacy test.
The Future: A Global Splinternet?
Only time will tell whether the world adapts to the EU’s standards (or perhaps China’s…), or whether individual countries will adopt their own standards for the collection and processing of personal data. We could end up with a global hodgepodge of complex, and often contradictory, data privacy regulations.
As the legal scholar Joanna Kulesza presciently wrote, in the post-GDPR world, the Internet may start to resemble more of a Splinternet as competing government-led privacy regimes duke it out for global hegemony.