Our mission to help you navigate the new normal is fueled by subscribers. To enjoy unlimited access to our journalism, subscribe today.
If you’re an American company with European users or customers, and you transfer their personal data to the U.S. for company use, you need to be aware of what just went down at the EU’s top court today.
That’s because the Court of Justice (CJEU) just made a huge ruling. The upshot: it’s possible you will no longer be able to serve people in the EU—if not now, then in the not-too-distant future.
You can read our full story on that ruling separately, but here’s a quick run through the implications. And again, those implications could be immediate, depending on your circumstances.
U.S. companies using Europeans’ personal data need some sort of legal justification for doing so. That’s because the U.S. lacks an EU-strength federal privacy law (or indeed any comprehensive federal privacy law at all.)
By far the easiest way to keep things legal was to sign up to the so-called Privacy Shield register—essentially, self-certifying that the company will stick to EU rules. This register was created under a trans-Atlantic deal of the same name, struck between the U.S. and EU in 2016.
That deal is now dead. The CJEU on Thursday cancelled it with immediate effect, basically for two reasons: it didn’t stop U.S. intelligence from poking around companies’ data even if they were on the list; and there was no effective way for EU citizens to file a complaint about this in the U.S.
The U.S. Department of Commerce reacted by indicating it would be, in a sense, business as usual. In a statement expressing disappointment with the ruling, the department said it would “continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List.”
“Today’s decision does not relieve participating organizations of their Privacy Shield obligations,” it added.
The Europeans beg to differ. To paraphrase Monty Python’s Dead Parrot sketch, Privacy Shield has passed on; it has kicked the bucket; it has shuffled off its mortal coil, run down the curtain and joined the bleeding choir invisible. It is an ex-agreement.
So you can continue to abide by the register’s obligations—essentially, respecting EU privacy law as best you can—but that no longer means your EU-U.S. data transfers are legal in European eyes. Which was the whole point of the register to start with.
(There may still be a legal reason to keep those promises over in the U.S., though. “Companies that have made privacy promises under Privacy Shield could be subject to enforcement for deceptive practices if they do not live up to those privacy promises,” said Peter Swire, a senior counsel at law firm Alston & Bird.)
Eline Chivot, senior policy analyst at the Center for Data Innovation, described the impact well in a statement Thursday: “The decision delivers a severe blow to the operations of over 5,000 European and American companies who use the EU-U.S. Privacy Shield as the legal basis for transatlantic data transfers. It will immediately upend, and in many cases even halt, data transfers between the EU and the United States, leaving many businesses with no suitable alternative.”
Standard contractual clauses
But what if Privacy Shield isn’t your only legal basis for those transfers?
Some U.S. companies such as Facebook (the firm involved in this particular case) and Microsoft have for years also been relying on a mechanism called “standard contractual clauses,” or SCCs. These are, as the name suggests, oven-ready clauses that the European Commission wrote, again outlining a range of rights and responsibilities in line with the EU’s strict GDPR privacy law.
The court did not strike down SCCs, though it had the option to do so.
It said SCCs were fine in general because an EU privacy regulator can still invalidate them on a case-by-case basis if a company is breaking the clauses’ terms or is unable to stick to them—because, say, it can’t stop the intelligence services back home from conducting mass surveillance on the data.
This is where the striking-down of the Privacy Shield becomes a problem for Facebook and any other big American tech company relying on SCCs to send Europeans’ data over to the U.S.
Although the Snowden revelations of 2013 led to some limited reforms in U.S. surveillance law, Section 702 of the Foreign Intelligence Surveillance Act (FISA) still allows for the mass collection of non-Americans’ personal data from Big Tech firms.
Some in the U.S. argue that surveillance only starts when the agencies actually look at the data—which is a more restricted activity. But the Europeans see surveillance as starting at the point of collection. So in European eyes, the U.S. regularly conducts mass surveillance on Europeans’ data—and there’s nothing the U.S. companies handling that data can do about it.
That’s serious enough to have scuppered Privacy Shield (and its predecessor, Safe Harbor) so it is difficult to see how the SCCs used by a company like Facebook can survive if challenged before an EU privacy authority.
“Although the system of standard contractual clauses will remain in principle and the standard contracts concluded will initially remain in force, they will have to be reviewed and, if necessary, suspended by the data protection authorities in the light of the [CJEU] ruling,” wrote former German data protection chief Peter Schaar in a blog post.
So what now?
Of course, not every American company serving Europeans is a Facebook or Google. If you don’t have U.S. agencies scrutinizing your data under Section 702 of FISA—if, for example, you’re an airline or a retailer—then SCCs could still work for you.
The big difference now is that you’ll first have to convince EU privacy regulators that European customers’ data isn’t subject to surveillance in the U.S.
“Data exporters and importers using the standard contract clauses must verify the level of protection in the [country where the data is going] first. The importer also has a duty to report any issues to the exporter,” said Tony Vitale, a partner at JMW Solicitors, in a statement.
And if your processing of Europeans’ personal data is “necessary” for the fulfillment of your user contracts—if you’re an email provider handling emails, for example—then that’s also automatically kosher under EU law.
“The court explicitly highlighted that the invalidation of the Privacy Shield will not create a ‘legal vacuum’ as crucially necessary data flows can be still undertaken,” said Max Schrems, the litigant who brought the case, said in a statement after the ruling came through.
But an awful lot of U.S. companies, big and small, are still likely to be flailing around now, looking for a legal solution to a problem that abruptly landed in their laps on Thursday morning.
The only reliable, long-term solution would be changes in U.S. privacy and surveillance law. Expect to see Silicon Valley’s lobbying efforts step up on that front very soon.
More must-read international coverage from Fortune:
- Corporate Germany has a race problem—and a lack of data is not helping
- The downfall of Wirecard is stirring an epic shareholder revolt in Germany
- “A real bind”: Banks that carry out Trump’s new sanctions could violate Hong Kong security law
- Russia’s online censorship machine is no longer running smoothly
- Wirecard shows auditing is broken. Here’s why—and how to fix it