It’s hard to believe that it’s been almost five years since the Court of Justice of the European Union (“CJEU”) decided Schrems I, invalidating the safe harbor provisions for transfer of personal data of European nationals to the United States. The safe harbor provisions were a set of data privacy principles US companies would agree to follow in order to receive personal data of EU and Swiss persons. That decision required a lot of technology agreements to be modified so they did not rely on the safe harbor provisions.
One of the reasons the safe harbor provisions were struck down was because they did not bind the US government. While US companies may agree to follow the principles, that would not stop the US government from collecting data in ways that, while legal in the US, may not be in the EU.
After Schrems I, the US and EU entered into negotiations on a new set of privacy principles that would be implemented by the US government. One result was the passage of the Judicial Redress Act that gave non-US nationals the right to sue in US courts for privacy violations, including violations by the federal government of the Privacy Act of 1974.
On July 16, 2020, the CJEU issued another opinion in the case brought by Max Schrems. In this latest opinion, the CJEU has invalidated the US-EU Privacy Shield. The Privacy Shield, while providing EU and Swiss persons with protections like those of US nationals, was found invalid because US domestic law permits the government to carry out surveillance activities that the CJEU believes are not permitted in the EU.
The decision may have impacts well beyond data transfers from the EU to the US. The rationale of the opinion would likely apply to transfers of data to countries with similar or less protective surveillance laws. If agreements with other countries, such as China, are allowed to continue, the US would have a good basis to claim that the invalidation of Privacy Shield is discriminatory and that the EU is in violation of its obligations as a WTO member.
Parties, however, remain able to utilize the Standard Contractual Clauses adopted by the European Commission. In fact, the CJEU specifically upheld the Commission Decision establishing these clauses. In doing so, though, the court stressed that the inclusion of the clauses is not enough. Companies in the US and the EU will need to implement policies and procedures to monitor compliance with, and effect enforcement of, the clauses.