It was a moment of déjà vu. For the second time in five years, the Court of Justice of the European Union (CJEU) struck down a data sharing agreement between the United States and the European Union after reviewing a case brought by Austrian Maximillian Schrems.

The 16 July 2020 decision by the CJEU found that the Privacy Shield data sharing agreement did not provide adequate protections for EU citizens’ and residents’ data nor provide sufficient post-data collection review mechanisms.

“In the view of the court, the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by U.S. public authorities…are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary,” the court explained in a press release. “The court adds that, although those provisions lay down requirements with which the U.S. authorities must comply when implementing the surveillance programmes in question, the provisions do not grant data subjects actionable rights before the courts against the U.S. authorities.”

The court also found that an ombudsman position created to review instances of EU citizens’ and residents’ data collection was not independent and had no authority to bind U.S. intelligence agencies to its decisions.

Both of those elements were requirements that Privacy Shield was designed to address after the court struck down the Safe Harbor data sharing agreement in 2015, also because of a lawsuit brought by Schrems challenging the transfer of his personal data from Facebook’s Ireland location to its corporate headquarters in the United States.

“I am very happy about the judgment. It seems the court has followed us in all aspects,” said Schrems in a statement following the ruling. “This is a total blow to the Irish (Data Protection Commission) and Facebook. It is clear that the U.S. will have to seriously change their surveillance laws, if U.S. companies want to continue to play a major role on the EU market.”

Because the court’s ruling has an immediate impact, it places the data sharing agreement that roughly 5,300 companies rely on in limbo. And as of Security Management’s press time, European data protection commissioners had not released statements clarifying if they would provide a grace period for companies while they worked to craft a new agreement.

Instead, the court left it open that companies could rely on standard contractual clauses (SCCs)—set terms for data sharing that have been approved by the European Commission—to continue data sharing. But they are not a foolproof solution, says Lisa Sotto, head of the global privacy and cybersecurity practice at Hunton Andrews Kurth LLP.

“Global companies will need to scramble to examine their data transfer mechanisms,” she adds. “Businesses that use SCCs are also under the gun. While the decision kept SCCs in place as a transfer tool, there are new and immediate obligations that companies relying on SCCs for their data transfers will need to consider, particularly with respect to transfers to the United States. Having SCCs in place is not a get-out-of-jail-free card.”

The potential repercussions for multinational businesses where SCCs are not sufficient or possible range in severity, Sotto says.

“Companies that violate the [General Data Protection Regulation] are subject to a panoply of possible sanctions, the most significant of which is a fine that could reach 4 percent of the organization’s annual global revenues,” she explains. “In addition, EU data protection authorities may suspend or prohibit data transfers that violate the law’s requirements. Also, data subjects themselves have a right to compensation for damage caused by a violation of the law.”

The U.S. Department of Commerce and the European Commission released a joint statement in August 2020 that they had initiated discussions to evaluate the potential for an enhanced Privacy Shield framework.

In the meantime, U.S. Department of Commerce Secretary Wilbur Ross said that companies already engaged in Privacy Shield agreements are not relieved from their obligations, and that he remains committed to reaching a new agreement with the European Union.

“We have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments,” Ross said. “Data flows are essential not just to tech companies—but to businesses of all sizes in every sector. As our economies continue their post-COVID-19 recovery, it is critical that companies—including the 5,300+ current Privacy Shield participants—be able to transfer data without interruption, consistent with the strong protections offered by Privacy Shield.”

Creating a new data sharing agreement may not be easy, though. Caitlin Fennessy, director of research for the International Association of Privacy Professionals (IAPP), was the U.S. Department of Commerce staff lead on crafting Privacy Shield—a lengthy process that began in 2013 and went into effect in 2016.

The first Schrems ruling helped provide a roadmap of what Privacy Shield would need to incorporate to be accepted by the European Commission, Fennessy says. That included an onward transfer principle, which required participating companies to include privacy protections mandated in Privacy Shield in their contracts.

Privacy Shield also enhanced the oversight role of the U.S. Department of Commerce, such as verifying the commitments companies made to be compliant with Privacy Shield, conducting randomized checks, and testing points of contact at participating companies. The data sharing agreement also required participating companies to limit data transfers to third parties for narrow and specified purposes, among other provisions.

The court’s review found that U.S. companies could not abide by those requirements because of U.S. intelligence and surveillance practices. Currently, the U.S. intelligence community can obtain data—not limited to metadata—on foreign nationals from U.S. companies, while also requiring those companies not to disclose that data was shared.

Reaching a new Privacy Shield-like agreement may require the United States to reform its surveillance practices—something that is unlikely to gain traction with lawmakers this fall.

“Could there be a similar setup where an ombudsperson has more complete independence and authority? Yes—that’s achievable; it might involve Congressional action, but that seems achievable,” Fennessy says. “It’s a much bigger question whether the U.S. government is willing to change its surveillance practices and the rights afforded to foreign nationals.”

Reforming U.S. surveillance practices is a goal of many privacy advocates, including the Center for Democracy and Technology. In a statement on the ruling, the center’s President and CEO Alexandra Givens said the court’s decision was a “wake-up call” that “stronger privacy protections needed to be built in” to the U.S. intelligence surveillance authorities practices.

“People outside the United States have rights that U.S. surveillance law and practice must honor,” Givens explained. “Surveillance reform has long been a human rights imperative; now, it is an economic imperative as well.”

But this also poses a conundrum, wrote Peter Swire, senior counsel with Alston & Bird LLP and Elizabeth and Tommy Holder chair of law and ethics at the Georgia Tech Scheller College of Business, in a brief for IAPP on the court’s ruling.

“One flaw, according to the court, is the lack of individual redress—an EU person, such as Max Schrems, does not have access to the courts in the U.S. to review what the National Security Agency may do with his data,” Swire added. “For national security experts, it is puzzling in the extreme to think that citizens of one country have a right to review their intelligence files from other countries.”

The decision and the court’s reasoning for striking down Privacy Shield also poses questions for how the court will consider data sharing agreements between the European Union and other nations, writes founding editor Jennifer Daskal for Just Security.

“If the U.S. system is inadequate, what about China? Or another powerhouse, India?” asks Daskal, who is also a professor and faculty director of the Tech, Law, and Security Program at American University Washington College of Law. “Or any number of other countries to which companies may have a need to transfer or interest in transferring personal data, whether for human resources, economic, or other reasons?”

Who is Maximillian Schrems?

Maximillian Schrems is an Austrian lawyer, privacy advocate, and founder of noyb (My Privacy is None of Your Business). He has also been a Facebook user since 2008, meaning some of his personal data shared with the social media company was transferred from Facebook’s Ireland servers to servers located in the United States.

Schrems filed a complaint with the Irish Data Protection Commission in 2015 to force Facebook to stop these transfers, claiming the United States did not provide sufficient protection to prevent his data from being obtained by U.S. intelligence agencies. His claims were based on revelations leaked by former National Security Agency contractor Edward Snowden about U.S. national security programs.

The Irish data authority rejected Schrems’ initial complaint, leading to a lawsuit, which ultimately led the EU Court of Justice to rule that the data sharing agreement between the United States and Europe at the time—Safe Harbor—was invalid because it did not provide sufficient protections for EU residents’ data (Schrems I).

The United States and the European Union then worked to create a new data sharing agreement, Privacy Shield, that was designed to enhance protections for EU residents’ data and went into effect in 2016.
Schrems, however, filed a renewed complaint with the Irish Data Protection Commissioner to again challenge Facebook’s data transfers from Ireland to the United States.

The Irish authorities reviewed Schrems’ complaint and determined that despite the new requirements under Privacy Shield, U.S. laws and national security practices did not provide legal remedies to EU citizens and additional data sharing agreements—standard contractual clauses—did not remedy those shortcomings.

The Irish Data Protection Commission sued Facebook, and the Irish High Court referred the case to the EU Court of Justice to answer questions about the validity of SCCs and if data sharing transfers under Privacy Shield violated EU residents’ rights.

The EU Court of Justice examined the case (dubbed Schrems II) and ruled in July 2020 that Privacy Shield still did not adequately protect EU residents’ data or provide them with a cause of action for addressing violations.