26 July 2020

Schrems II: EU Court of Justice Declares EU-US Privacy Shield Invalid

On July 16, 2020, in a landmark decision, the European Court of Justice invalidated the European Union (EU) -United States (US) Privacy Shield Framework. The EU-US Privacy Shield Framework allowed US companies to self-certify to comply with more stringent EU privacy and data protection standards, and thus served as the basis to legitimize transfer of personal data of EU individuals to certified recipients in the US.   The Privacy Shield mechanism was used by thousands of companies to legitimize such transfers.   The framework was challenged by Max Schrems, an Austrian lawyer and privacy activist, who claimed that US law does not provide for adequate protection of personal data. As the decision to invalidate the Privacy Shield Framework cannot be appealed, the Privacy Shield Framework is no longer valid.

The invalidation of Privacy Shield has significant consequences for organizations operating in Israel, as described below.

Background

The EU's General Data Protection Regulation (GDPR) restricts the export of personal data to countries outside of the European Economic Area (EEA) unless certain mechanisms are implemented.  Personal data can be transferred freely to a jurisdiction certified by the European Commission as having an 'adequate' level of protection for personal data. Israel, for example, appears on the EU's 'white list' of countries certified as adequate.

Though the EU has not designated the US as having an adequate level of protection for personal data, the Privacy Shield Framework allowed data recipients in the U.S. to self-certify and undertake to comply with a higher level of protection than is generally required by US law.   Privacy Shield allowed for the export of data of EU data subjects to certified entities without the need to satisfy additional procedural hurdles, for example, use of Standard Contractual Clauses.

Relevance to Israeli Organizations

The invalidation of the Privacy Shield Framework may be relevant to Israel-based organizations in a number of ways.

  • Organizations that rely on their certification with the Privacy Shield Framework to allow them to process personal data about EU individuals in the US continue to be bound by their obligations under the Privacy Shield Framework. That said, they will be required to find alternative transfer mechanisms to allow for transfer of personal data for EU data subjects to the US.
  • Organizations that outsource data processing functions to US-based service providers or share data with US-based business partners should examine their relationships with these entities to ensure that a valid transfer mechanism is in place.
  • The Israeli Protection of Privacy Regulations (Transfer of Information to Databases outside of the State’s Boundaries), 2001 restrict data exports from Israel unless certain conditions are met. These regulations permit, however, data exports from Israeli databases to EU-sanctioned data recipients, subject to compliance with other regulatory requirements. While the Israeli Protection of Privacy Authority, Israel’s data protection authority, has not publicly commented on the new European ruling, it is expected that Privacy Shield Framework will be deemed inadequate to sanction data exports from Israeli databases to recipients in the US. Many organizations had relied on the Privacy Shield certification of data recipients to meet these Israeli requirements; as specified above, these organizations will need to utilize other legal bases for such transfers. 

Next Steps

Organizations that are affected by the ruling, whether directly or indirectly, should review their data transfer practices, as well as their relationship with service providers and business partners in the US. While the Privacy Shield Framework has been invalidated, the European Court of Justice did confirm the use of the Standard Contractual Clauses to allow for cross-border transfers. It should be noted, however, that when using Standard Contractual practice, the burden is placed on the 'controller' exporting data out of the EEA to review the law in the recipient country to ensure that it is adequate and institute additional data protection mechanisms as needed in order to ensure that personal data is properly safeguarded. It may take some time for companies to adapt their businesses in light of this decision, however it is imperative for organizations to commence such efforts. 

Clients interested in reviewing their practices and adapting those in accordance with the new ruling are urged to contact our privacy team - Yoheved Novogroder-Shoshan (YohevedN@arnon.co.il), Netanella Treistman (NetanellaT@arnon.co.il) or  Miriam Friedmann (MiriamF@arnon.co.il ).

This memo is intended to serve as a general overview and does not constitute a replacement for legal counsel on the matters discussed herein.

 

Subscribe for updates and news