The European Court of Justice on Kirchberg Plateau in Luxembourg.

On July 16, the Court of Justice of the European Union invalidated the Privacy Shield, a program leveraged by companies to transfer European citizens' personal data to the United States, due to a lack of remedies against potentially unrestricted U.S. government access.

Lawyers say the decision forces companies to rely on or redraft data transfers contracts, and abide by a new level of data review that may require technical safeguards, or bypass transferring EU data to the U.S. altogether.

"More than 5,300 U.S. companies who were Privacy Shield participants, at a time when the economy is on its knees in the middle of a pandemic, those companies are going to have significant interruption to their business by being unable to rely on their Privacy Shield certification," said Loeb & Loeb privacy, security and data innovations co-chairman Ieuan Jolly.

Still, trans-Atlantic data flow isn't dead. After all, companies still have various alternative data transfer mechanisms. The General Data Protection Regulation provides exemptions for one, annual transfer of data, noted Francoise Gilbert, a lawyer and founder of corporate data privacy and security consultancy DataMinding Inc.

Companies transferring data more than once a year can also draft standard contractual clauses, which the CJEU ruled is still valid.

"Standard contractual clauses, as they're now, are deemed to comply and meet the EU requirements," Gilbert said.

But she added that "there is a second component that is new which is a requirement from the data importer and data exporter to go further than that and make sure whatever is happening in their particular type of transfer and data [has] no additional risk."

Indeed, the CJEU made it clear that adding new standard contractual clauses requires a more in-depth assessment of their data collection and transfer process, Jolly added.

Specifically, companies must evaluate the sensitivity and volume of data transfers, he explained. "The sensitivity and use case combined with the volume will impact if there's a higher level of [likely] surveillance by U.S. governmental agencies. But more fundamentally, when you're looking at standard contractual clauses, to legitimize data transfers you will have to assess what type of additional safeguards beyond the standard contractual clauses will be required and what will be reasonable."

Covington & Burling of counsel Kristof Van Quathem, who represented the Software Alliance in the recent CJEU matter, said companies are exploring encryption and other technical safeguards for EU data transferred to the U.S. He added that more organizations are also considering prohibiting data transfers to the U.S. entirely.

But encryption and notification safeguards can't match all the privacy rights granted to EU citizens, Jolly noted.

"The back-end issues are much harder to solve," Jolly said. "The lack of judicial review is a much bigger issue because a fundamental defect with U.S. law is that it's a constitutional requirement that no one can bring a lawsuit unless they can show they have suffered damages. In an environment of national security surveillance collection, where very few people, if anyone, is told they are the subject of a surveillance, no one can come to court to say they have been hurt from the collection of their data." 

To be sure, the European Union and U.S. government have already signaled they will work together to continue data transfers. Indeed, while "deeply disappointed" in the CJEU decision, U.S. Commerce Secretary Wilbur Ross noted the U.S. would continue to collaborate with the European Commission and European Data Protection Board to limit adverse repercussions. The European Commission also said it would "reflect on operative ways to strengthen our [EU to U.S.] data transfers," according to Reuters.

However, lawyers didn't think Europe's latest decision will propel the U.S. to adopt a national data privacy law.

Los Angeles-based Jeffer Mangels Butler & Mitchell partner Bob Braun noted that while debates and the enactment of state-level laws regarding data surveillance in the private and public sector are growing, "as a general matter, the U.S. seems less concerned about government access."