EU-U.S. Data Sharing Agreements in Question

The Court of Justice of the European Union struck down a major data sharing agreement between the United States and the European Union, but confusion remains about what measures corporations can use to share data across the Atlantic.

In its landmark ruling on 16 July 2020, the court found that the Privacy Shield data sharing agreement did not provide adequate protections for EU citizens and residents’ data, or provide sufficient post-data collection review mechanisms. Both of those elements were requirements that Privacy Shield was designed to address after the court struck down the Safe Harbor data sharing agreement in 2015.

At the time that Privacy Shield was agreed to, then EU Commissioner Věra Jourová said Privacy Shield would protect the fundamental rights of Europeans when their personal data was transferred to the United States.

“For the first time ever, the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards, and oversight mechanisms,” Jourová said.

After reviewing a lawsuit by Maximilian Schrems against Ireland’s data commissioner and Facebook, however, the court found that the safeguards Privacy Shield was designed to provide for Europeans were not adequate.

“In the view of the court, the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by U.S. public authorities…are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary,” according to a press release from the court. “The court adds that, although those provisions lay down requirements which the U.S. authorities must comply when implementing the surveillance programmes in question, the provisions do not grant data subjects actionable rights before the courts against the U.S. authorities.”

The court’s ruling places the data sharing agreement that roughly 5,300 companies—predominantly small- and medium-sized businesses—rely on into limbo because the ruling has immediate impact. European data protection commissioners have also not, as of Security Management’s press time, released statements clarifying if they will provide a grade period for companies while they work with the United States to craft a new agreement for data sharing. In the meantime, the court left open the option for companies to use standard contractual clauses to share data.

“The protection of personal data requires actionable rights for everyone, including before independent courts,” said the European Data Protection supervisor in a statement. “It is more than a ‘European’ fundamental right—it is a fundamental right widely recognized around the globe. Against this background, the EDPS trusts that the United States will deploy all possible efforts and means to move towards a comprehensive data protection and privacy legal framework, which genuinely meets the requirements for adequate safeguards reaffirmed by the court.”

In a statement on the decision, U.S. Commerce Secretary Wilbur Ross said in a statement that he was “disappointed” in the court’s decision and that organizations participating in Privacy Shield are not relieved from their obligations under the data sharing agreement yet.

“We have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments,” Ross said. “Data flows are essential not just to tech companies—but to businesses of all sizes in every sector. As our economies continue their post-COVID-19 recovery, it is critical that companies—including the 5,300+ current Privacy Shield participants—be able to transfer data without interruption, consistent with the strong protections offered by Privacy Shield.”

Crafting a new data sharing agreement could be a time-consuming process. Caitlin Fennessey, director of research for the International Association of Privacy Professionals, was the U.S. Department of Commerce staff lead for the creation of the Privacy Shield agreement—which took more than two years to come to fruition.

The United States and Europe may be able to reach an agreement about how to share data, but it might involve changes to U.S. law and surveillance tactics, Fennessey explains, including acts of Congress and executive orders from the president.

“Is a new mechanism that looks and smells and feels like Privacy Shield the result here? Or do U.S. practices need to change? Or is there another approach that needs to be taken to this issue?” she asks. “If a new mechanism like Privacy Shield is what is pursued here…the court ruling suggests that it would require changes in U.S. laws.”

For more on the court’s ruling and the future of data sharing, look to the October issue of Security Management.