The European Court of Justice (ECJ) has ruled that the US-EU Privacy Shield is no longer valid, as it does not offer sufficient protection for EU citizens and their data. Specifically, the Privacy Shield allows American security services to access data, which the Court considers a breach of EU citizens’ rights.

Wait, what is the Privacy Shield again?

The Privacy Shield is the latest incarnation of an agreement between the European Commission and the US Government to allow for the commercial transfer of personal data. Created in 2016 to replace the International Safe Harbour Privacy Principles, the idea was that data would have an equivalent level of protection to that which it receives inside the EU.

What went wrong?

The Shield has faced challenges since its inception. Before the framework even went into effect, the European Data Protection Supervisor stated that “the Privacy Shield, as it stands, is not robust enough to withstand future legal scrutiny before the [European] Court.”

The legal challenge brought before the ECJ centres on the US Foreign Intelligence Surveillance Act (FISA), which allows the National Security Agency (NSA) to obtain data about people who are not American citizens, or who do not reside in the USA, which is held by “electronic communication services providers”. This terminology covers both social media platforms and ESPs.

What do I need to do?

First off, check where your data is being held. If, like Spotler, your ESP stores all your data in Europe or the United Kingdom, this ruling doesn’t change anything for you.

If your data is held in the USA, you need to take action – there is no grace period during which we you can keep on transferring data to the U.S. The ECJ ruling means the Privacy Shield is immediately invalid, so transferring the data of EU citizens to the USA is now illegal.

Marketers – you need a ‘new shield’

This ruling is particularly relevant for the marketing community as a number of UK companies use email and marketing automation providers that host their data in the US. If this is you, you are now in breach and need to act quickly to make sure your data is secure and hosted within the EU.

What comes next?

Some data transfer may still be legal, under Standard Contractual Clauses, or SCC’s, which concern specific contracts between companies, rather than the practice as a whole. These will be left to national-level data authorities to invalidate or uphold, which means the Information Commissioner’s Office (ICO) for UK companies.

However, The Court found that U.S. law (i.e., Section 702 FISA and EO 12333) does not ensure an essentially equivalent level of protection.

The ICO is considering its response; you can find their latest guidance here.

You can also find information about SCC’s, and the other implications of this ruling, from the Data and Marketing Association. John Mitchison, DMA Director of Policy and Compliance, said: “This ruling by the Court of Justice of the EU (CJEU) could create a lot of disruption and work for some organisations, but in the end, I believe we will see this as a positive outcome. Data transfers to the US do not provide the level of protection EU data subjects have come to expect with GDPR.”

Top Resources:

https://dma.org.uk/article/european-court-of-justice-strikes-down-us-privacy-shield

https://www.euractiv.com/section/digital/news/eu-us-data-transfers-at-critical-risk-as-ecj-invalidates-privacy-shield/

https://edpb.europa.eu/sites/edpb/files/files/file1/20200724_edpb_faqoncjeuc31118_en.pdf

https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/07/updated-ico-statement-on-the-judgment-of-the-european-court-of-justice-in-the-schrems-ii-case/