EU Court Ruling May Signal Problems for Data Privacy Shield

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By George Lynch

A recent EU court opinion finding fault with a draft EU-Canada airline passenger data-sharing pact may cloud the future of the EU-U.S. Privacy Shield data transfer framework relied on by thousands of U.S. companies, privacy attorneys told Bloomberg BNA.

The Court of Justice for the European Union (CJEU) opinion on the draft passenger name record (PNR) agreement doesn’t directly apply to the Privacy Shield, which covers commercial data transfers. But it represents the first time the court has discussed conditions under which the EU may allow cross-border data transfers through treaties.

The July opinion may be a sign that the critical EU-U.S. cross-border data flow agreement used by Alphabet Inc.'s Google, Facebook Inc., Microsoft Corp., and thousands of other companies will have to be re-drafted, some attorneys said.

The Privacy Shield is used by nearly 2,400 U.S. companies that certify their compliance with EU-approved privacy principles to the U.S. Commerce Department to transfer personal data out of the EU more easily.Tens of thousands of EU companies rely on those certifications to send data to U.S. companies.

PNR data collected from airline passengers booking and checking in for flights is shared across borders with national security and law enforcement officials. The EU top court’s ruling advised the European Parliament to amend the draft pact with Canada so that it protected fundamental privacy rights better. The court said the draft pact didn’t provide sufficient protections for sensitive data, and gave insufficient notice to individuals about further data transfers beyond the initial recipient.

The PNR ruling follows the court’s invalidation of the U.S.-EU Safe Harbor data transfer agreement that the Privacy Shield replaced. The Privacy Shield is likely to face the same direct scrutiny, Robin Campbell, co-leader of the data privacy and cybersecurity group at Squire Patton Boggs LLP in Washington, told Bloomberg BNA.

Jorg Hladjk, European data protection of counsel at Jones Day LLP in Brussels, told Bloomberg BNA that although the rulings on the PNR pact and the Safe Harbor are “different animals” because of the national security and commercial differences in how the data are used, they both provide insight into how the court may analyze the Privacy Shield. The CJEU focused in both cases on overarching privacy principles of necessity, proportionality, and retention, he said.

A New Standard of Scrutiny?

The court’s careful scrutiny of the agreement and critique of a number of provisions could put pressure on the EU and U.S. to tweak the agreement before it could reach the CJEU, privacy professionals said.

Justin Antonipillai, chief executive officer of privacy and security software company, and former acting undersecretary for economic affairs at Commerce, told Bloomberg BNA that “the step-by-step, auditor-like way the CJEU approached” the PNR analysis “sends a message and just reinforces how specific and detailed the court is going be on any Privacy Shield review.”

The court wasn’t convinced that a Canadian oversight office for the proposed PNR had “complete independence.” The Privacy Shield’s independent U.S. oversight authority provisions may face similar skepticism, Antonipillai said. Although there are multiple supervisory authorities in the U.S. for both commercial and national security uses for data, it will take serious engagement and experienced U.S. officials to explain those processes to EU courts how these requirements were met, Antonipillai said.

EU Justice Commissioner Vera Jourova has said that the “independence and efficiency” of the U.S. ombudsman, to whom individuals can refer any complaints about undue surveillance of data by U.S. authorities, is crucial. The European Parliament has also questioned the independence of the ombudsman.

The CJEU also took issue with the PNR agreement’s five-year data retention provision. Although the court didn’t find the the five-year data retention period was beyond what was strictly necessary for persons that posed a risk of terrorism or transnational crime, it said that it should be subject to prior review an independent supervisory authority.

The Privacy Shield’s five-year data retention period, which can be extended for national security reasons, may fall short of the strict necessity standard, Lokke Moerel, cybersecurity and privacy senior of counsel of Morrison & Foerster LLP in Berlin, told Bloomberg BNA.

It is difficult to see how the PNR-focused standards wouldn’t also apply to the Privacy Shield, Moerel said.

Negotiating Tool?

The European Commission, the EU’s executive arm, may use the PNR ruling as a tool “to negotiate more robust privacy protections in similar agreements with third countries,” Anna Pateraki, a senior privacy associate at Hunton & Williams LLP in Brussels, told Bloomberg BNA.

The CJEU’s opinion also demonstrates the criteria that it may use to decide whether future international agreements adequately protect the privacy of EU citizens, Pateraki said.

Antonipillai said that the PNR ruling will be yet another item that the commission will consider during the first annual Privacy Shield review in September. But it’s unclear how specific and important the ruling may be in the review, and how much the U.S. needs to worry about it, he said.

Hladjk said the real question is whether the Privacy Shield will ever be evaluated by the CJEU. Given that the Privacy Shield was drafted to address questions raised by the court’s Safe Harbor ruling it is unlikely that challenges will be sent to the court, he said.

To contact the reporter on this story: George Lynch in Washington at

To contact the editor responsible for this story: Donald Aplin at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security