On July 16, 2020, the Court of Justice of the European Union (CJEU) issued a decision invalidating the EU-US Privacy Shield, an agreement between the EU and the U.S. Department of Commerce that allows businesses to lawfully transfer personal data from within the EU or European Economic Area (EEA) to U.S. businesses that self-certify compliance to certain privacy principles. The Privacy Shield was invalidated on the grounds that the personal data transferred under the EU-US Privacy Shield is not sufficiently safeguarded from access and use by U.S. national security authorities. This ruling came as an outcome of the petition (nicknamed “Schrems II”) filed by Austrian lawyer-activist Maximillian Schrems.
As a result, companies can’t rely on the EU-US Privacy Shield as a data transfer mechanism. Other mechanisms governing data transfers from the EU to non-EU countries, including binding corporate rules and standard contractual clauses (SCCs), remain potential options. However, in the decision the CJEU indicated that data exporters may have additional obligations under the SCCs to ensure that data transferred out of the EU is protected to a degree at least equivalent to the standards of the EU or EEA.
The invalidation of the EU-US Privacy Shield will impact organizations that transfer personal data of people in the EU to countries outside the EU or EEA and have relied on the EU-US Privacy Shield for these cross-border transfers.
While organizations should closely monitor the guidelines from the Data Protection Authorities (DPAs) and the European Data Protection Board (EDPB), it will be important to assess the impact and start planning for implementation of alternate mechanisms. This decision will have a significant impact on you if you are self-certified under Privacy Shield and you are using Privacy Shield as a legal basis for transferring EU personal data from the EU or EEA to the U.S.
- The immediate impact is around the legal agreements that your company has with EU-based companies, where they are relying on Privacy Shield as the mechanism to enable the transfer of personal data to the U.S.
- The primary responsibility for ensuring the legality of a transfer is with the EU-based party that is sending the data to the U.S.
- If your company is registered and self-certified with the Department of Commerce (DOC) as a participant in Privacy Shield, be aware that the Privacy Shield commitment is with the DOC and remains enforceable by the Federal Trade Commission until your registration expires or you otherwise withdraw from the program.
This is primarily a legal matter that your privacy or contracts attorney will have to address by implementing another transfer mechanism to ensure legality of data transfer; many organizations will choose SCCs. Your counsel or privacy team may reach out to IT and operations to review your privacy controls to ensure they align with the commitments spelled out in the SCCs.
Your EU-based counterparties will likely contact you for insights and steps that you’re planning to take. It’s likely that in certain cases the EU entity may ask to conduct additional due diligence to understand and confirm how you are handling EU personal data. You should consider speaking to your counsel and privacy team and agree on the right way to handle these inquiries.
Under the GDPR, all organizations that control or process EU personal data are obligated to maintain a Records of Processing Activities (RoPA) and conduct a Data Protection Impact Assessment (DPIA) for high-risk processing activities. This documentation may help identify where EU personal data is being transferred and how it’s handled.
To the extent that you are impacted by the decision and have access to the governing contracts, gathering the agreements together and reviewing with your privacy team and counsel will accelerate the process of renegotiating with the counterparty. Moreover, working in coordination with your privacy team and counsel to ensure your company can meet the requirements stipulated in the appendices to the SCCs will also accelerate the transition, as well as streamline instances where the EU-based counterparty requires that they perform a due-diligence review.
The invalidation of the EU-US Privacy Shield has raised several questions for the roughly 5,000 companies relying on this mechanism to enable the transfer of personal data from the EU to the U.S. The guidance expected from EU regulators (DPAs and EDPB) over the next few weeks regarding the actions that organizations may need to take will potentially result in a number of required changes to the privacy programs for the affected companies, with some degree of urgency. While a privacy counsel has to take the lead in determining the impact to your organization, it’s important for the sake of efficiency that changes to the broader enterprise be considered and planned for without delay.
The field of data science and technology is evolving at an incredible pace, with new inventions, promising opportunities and new benefits that were unimaginable a few short years ago. At the same time, missteps and breaches are happening with alarming frequency, affecting millions of people every day. Lawmakers around the world are responding by enacting legislation aimed at protecting the rights and interests of individuals. Successful companies are the ones that can quickly navigate these changes and can increase their leverage of information while managing risk and ensuring compliance, therefore building the trust of customers, regulators, the broader market and other stakeholders.