Schrems II “Was always going to be a major test for the Privacy Shield,” Steve Durbin, Managing Director, ISF
The EU court decision in the Schrems II case that effectively kills the Privacy Shield pact hammered out four years ago between the U.S. and EU could cripple multinational companies’ ability to operate as they scramble to scrutinize their data transfer mechanisms.
“This is a stunning and completely unexpected decision. In invalidating the Privacy Shield framework, the European Court of Justice has jeopardized the ability of thousands of companies to do business in the EU,” said Lisa Sotto, head of the global privacy and cybersecurity practice at Hunton Andrews Kurth. “This decision not only topples a well-ensconced data transfer regime that is relied on by over 5,000 U.S. companies, but it also calls into question the ability of multinational companies to transfer data to the U.S. under any mechanism.”
But Steve Durbin, Managing Director of the Information Security Forum (ISF), said Schrems II “was always going to be a major test for the Privacy Shield,” so for many, the decision “has come as no surprise that the European Court of Justice has responded in this way,” considering the jumble of state privacy laws currently governing personal data in the U.S.
The ECJ essentially agreed with Austrian privacy advocate Max Schrems, who claimed that the privacy pact didn’t protect EU citizens from being spied on by the government, pointing to U.S. national security laws allowing surveillance of foreign nationals.
The then 28 members of the EU gave their approval to a rejiggered EU-US Privacy Shield Agreement in July 2016, but privacy advocates stressed the pact would likely be challenged in court, much like its predecessor, the Safe Harbor agreement, which the ECJ earlier struck down in response to a previous Schrems case brought in the wake of former CIA subcontractor Edward Snowden’s revelations that the NSA was running a covert program that spied and collected data on U.S. citizens.
In today’s decision, the court said U.S. surveillance laws “are not limited to what is strictly necessary.”
“This judgment is the second major blow delivered to the U.S. privacy and data protection legal framework by the EU Court of Justice relating to the Snowden disclosures, and in today’s climate of unstable transatlantic political relationships, it is unlikely to meet with approval in the U.S.,” said Stewart Room, global head of data protection and cybersecurity at DWF.
With the death knell sounded on Privacy Shield, the 5,300 or so companies previously under its protection must rely on standard contractual clauses (SCCs) that Europe uses for companies in other countries and even some U.S. organizations like Microsoft.
The court’s action also has created a good bit of uncertainty for the companies once covered by Privacy Shield, and privacy advocates questioned the timing of the ruling. “The impact on business? Not great,” said Durbin. “At a time when many businesses are doing all they can to remain open and trading post-pandemic as we head into one of the worst global recessions for some time, this additional compliance burden is something many could have well done without.”