EU court ruling rendering Privacy Shield null has serious implications for Israeli companies
Earlier this month, Europe's highest court declared the EU-U.S. Privacy Shield framework—meant to help companies comply with data protection requirements—to be invalid as a mechanism for transferring personal data from Europe to the U.S.
In one of the most anticipated judgments of the year, the CJEU declared the EU-U.S. Privacy Shield framework—meant to help companies on either side of the ocean comply with data protection requirements—to be invalid as a mechanism for transferring personal data from Europe to the U.S.
The CJEU also held that Standard Contractual Clauses (SCCs), which are the more commonly used transfer mechanism, remain valid subject to the requirement that businesses verify whether the overall context of the transfer (including the destination country) offers appropriate safeguards.
The judgment requires EU data protection regulators to suspend or prohibit transfers where such appropriate safeguards cannot be provided.
Although the judgment does not specifically mention Israel, it is likely to have serious implications for many Israeli tech companies.
The General Data Protection Regulation (GDPR) regulates the transfer of EU residents’ personal data, requiring a valid transfer mechanism under Chapter V GDPR to be in place. Such mechanisms include adequacy decisions of the European Commission (such as Privacy Shield) and appropriate safeguards, such as SCCs and binding corporate rules, which address intra-group transfers.
This is not the first time the CJEU has invalidated a transfer mechanism. In 2015, the CJEU invalidated Privacy Shield’s predecessor, the EU-U.S. Safe Harbor Framework, in a case commonly referred to as Schrems I, initiated by a complaint by the same individual as in the current case. At the heart of Schrems’ complaint was the fact that U.S. surveillance laws did not offer adequate protection for the personal data of EU residents.
As a result of the CJEU’s previous judgment, Israel’s Privacy Protection Authority revoked its prior authorization of transfers of personal data from Israel to the U.S. based on the Safe Harbor Framework. It later announced the approval of the EU-U.S. Privacy Shield. Now, it is likely that Israel will similarly revoke the approval of Privacy Shield following the latest judgment.
To summarize the CJEU’s recent judgment, it held that due to the potential access to, and use by U.S. public authorities of personal data on EU residents transferred to the U.S., a level of protection essentially equivalent to that guaranteed under EU law cannot be guaranteed under the Privacy Shield mechanism.
It further held that SCCs may not always constitute a sufficient means of ensuring, in practice, the effective protection of personal data transferred to a third country, in particular, if the law of that third country allows public authorities to interfere with the rights of those to which that data relates.
The judgment reiterates the importance of businesses verifying, prior to any transfer, whether an appropriate level of protection is respected in the relevant third country. Where there are no appropriate safeguards, the transfer of personal data to the third country should be suspended by the exporter or, failing that, the data protection supervisory authority of the relevant member country.
Although not explicitly referenced in the judgment, it is likely that this obligation would also apply to other appropriate safeguards, including binding corporate rules.
The judgment has serious implications for Israel. Not only because it potentially requires Israeli businesses to carry out an assessment of the destination country—in most cases the U.S.—when transferring personal data originating from the EU, to determine whether it has adequate safeguards in place; but also due to the potential implications for the European Commission’s adequacy decision concerning Israel.
The approval of adequacy, granted in 2011, allows the transfer of personal data from the EU to Israeli companies, without the need for additional safeguards. The CJEU’s decision in Schrems II is likely to have an impact upon the European Commission’s periodic review of Israel’s adequacy decision.
Furthermore, it might present potential legal challenges in relation to the Commission’s past adequacy decisions, including Israel, which, like the U.S., conducts extensive surveillance for national security purposes, potentially running afoul of the CJEU’s standards in Schrems II.
Businesses should analyze data flows that involve transfers of personal data to the U.S. and determine which transfer mechanism (Privacy Shield, SCCs) is currently being used.
For those transfers relying upon Privacy Shield, finding an alternative transfer mechanism must become a priority. In particular, businesses should contact their service providers to confirm whether they rely on the privacy-shield mechanism and ask whether they have (or expect to have) another transfer mechanism in place.
For businesses currently using, or considering (as an alternative to Privacy Shield), the use of SCCs, businesses must assess the level of appropriate safeguards provided by that transfer to determine whether SCCs are an available mechanism.
The real-life risks of such must be taken into account, within the context of the sector or industry and other relevant factors including the destination country and the identity of the recipient, which may be challenging particularly given the uncertainty in the CJEU’s judgment in relation to relying on SCCs for transfers of personal data to the U.S.
Israeli companies may want to consider storing personal data on EU residents within the EU’s physical borders or within other countries declared adequate by the European Commission, although this will be more challenging for smaller tech companies.
Despite the questions that were raised by the CJEU, SCCs remain, for now, the most realistic option for the transfer of personal data. We expect it will take time for the full practical implications of the decision to flow down and take effect. It remains to be seen whether Israel will face similar challenges to those brought by the Schrems cases for the U.S.
Andrew Dyson is a partner at the international law firm DLA Piper’s Intellectual Property and Technology group. He also co-chairs the firm’s Global Data Protection, Privacy, and Security practice.
Rachel De Souza is a knowledge development manager at DLA Piper's U.K. Data Protection, Privacy, and Security practice.