Last week, the European Court of Justice struck again, invalidating the Privacy Shield that has provided the legal basis for transatlantic data flows since 2016. With its decision, the European judges on the case removed the legal foundation of much transatlantic digital commerce. The court’s ruling is a major blow to more than 5,300 US and EU companies that had relied on the Privacy Shield for their data transfers. Yet the effects of the decision reach beyond EU-US commercial relations. The court sent a clear signal that any data flows out of the European Union are prohibited unless foreign countries offer privacy protections equivalent to those provided by the European General Data Protection Regulation (GDPR).
The GDPR bans data transfers from the EU to the United States due to a far-reaching US government surveillance regime that can encroach on personal privacy. The Privacy Shield is a legal instrument that was negotiated to alleviate the EU’s concerns in this area. It contains additional privacy protections that companies can adopt to gain the right to transfer data from the EU to the US. Yet the court ruled that the Privacy Shield falls short of European standards on fundamental rights. The ruling should not come as a surprise. It built on a 2015 decision in which the court invalidated the Safe Harbour agreement, which was the predecessor of the Privacy Shield.
While undoing the Privacy Shield, the court upheld the validity of another common international data transfer mechanism – standard contractual clauses (SCCs). The SCCs are a set of terms and conditions used in commercial contracts that the European Commission regards as providing adequate safeguards for data transfers. Yet even this aspect of the ruling provides only limited relief for the business community. Companies that rely on SCCs are left with the daunting task of verifying that foreign countries’ surveillance regimes do not undermine the EU’s privacy concerns, using the high privacy standard that the court set as a benchmark.
The stakes are high in the court decision, as it has thrown much transatlantic commerce into disarray. Unhindered data flows are critical in sustaining the $7.1 trillion transatlantic economic relationship. Manifold industries rely on data transfers in their business operations. This applies not just to large technology companies such as Amazon, Facebook, and Google but also to banks, law firms, and the many other commercial entities that obtain some personal data when they sell products to European customers.
The immediate consequence of the ruling is grave legal uncertainty for thousands of companies that handle European data. They must urgently identify an alternative mechanism to legally transfer data. Now that the European Court of Justice has struck down both Safe Harbour and the Privacy Shield, it is unclear if the Commission will attempt to negotiate a third agreement – and how stable any such agreement would be. Meanwhile, companies are likely to turn to SCCs or binding corporate rules, which are approved data protection obligations they can follow to transfer data within a corporate group. Yet both SCCs and binding corporate rules require verification that they meet the high standards set by the court. Companies may also try to adopt additional safeguards, such as the encryption of the data they transfer, in an effort to satisfy European data protection standards. But any such strategy remains vulnerable in that it may conflict with US law enforcement agencies’ requirement for firms to disclose relevant data.
The court ruled that the Privacy Shield falls short of European standards on fundamental rights. The ruling should not come as a surprise.
Other solutions are unlikely, commercially unappealing, or risky. Privacy advocates take the view that data flows can be reinstated and legal challenges avoided if the US revises its rules on surveillance. But this is unlikely in today’s tense geopolitical environment. A second solution would be for companies to store all European personal data in the EU and agree not to export it. But this strong variant of a data localisation requirement would be commercially costly and technically questionable. Nonetheless, disregarding the court’s ruling would also be risky, as non-compliance would expose companies to fines that can amount to 4 per cent of their global – not just EU – revenue. The risk of sanctions of this magnitude is widely expected to steer companies towards compliance.
The decision on the Privacy Shield is likely to lead to further global alignment with the EU’s data protection rules. This reinforces a development known as the Brussels Effect: multinational companies’ adjustment of their global conduct to EU rules, with the aim of achieving uniformity and forgoing the costs of adherence to multiple compliance regimes. Many global technology companies – including Apple, Facebook, Google, and Microsoft – have already adopted global privacy policies that mirror the GDPR. Some of these companies have also become advocates of GDPR-style federal law in the US, as evidenced by recent calls from Apple’s Tim Cook and Facebook’s Mark Zuckerberg for the US to follow the template set by the EU. Many foreign countries – including those with large economies, such as Brazil, Japan, South Africa, and South Korea – have already emulated the GDPR as the “gold standard” of privacy laws. Many others now have an additional incentive to do so as they seek to pre-empt costly disruptions to data flows – akin to what is now happening with the unravelling of the Privacy Shield.
The court decision will also have ripple effects far beyond transatlantic data flows. As data controllers now need to verify the compliance of third-country laws with the EU’s fundamental rights protections, it is almost certain that no European personal data can flow to China, Russia, or another authoritarian country. These countries’ surveillance regimes present an even greater challenge to the EU’s privacy protections than the now-contested American surveillance laws. Even the United Kingdom will find it exceedingly difficult to preserve data flows between it and the EU after the Brexit transition periods expires, given British surveillance practices. This further increases the pressure on the UK to align its privacy protections with those of the EU, making it harder for the British government to fulfil its promise to reinstate the UK’s regulatory sovereignty after Brexit.
While it remains unclear what will emerge to replace the Privacy Shield, the European Commission and the US government have a shared interest in protecting transatlantic data flows that are vital to companies on both sides, as evidenced by comments from European Commission Vice-President Vera Jourova and US Commerce Secretary Wilbur Ross in the immediate aftermath of the court ruling. As such, there is strong political pressure for the EU to reach some form of agreement with the US. But this political imperative is clearly on a collision course with the European Court of Justice. The court has warned the Commission – not once, but twice – that any political compromise that falls short of the EU’s high standards of data protection will not be allowed to stand.
This commentary was supported by Hablamos de Europa, an initiative of the Spanish Ministry of Foreign Affairs, European Union, and Cooperation.
Anu Bradford is an ECFR council member. She is Henry L. Moses Professor of Law and International Organization at Columbia Law School and a senior scholar at Columbia Business School’s Jerome A. Chazen Institute for Global Business. She is the author of The Brussels Effect: How the European Union Rules the World (OUP 2020). Twitter: @anubradford.
The European Council on Foreign Relations does not take collective positions. ECFR publications only represent the views of its individual authors.