More than 5,300 companies in the United States using the EU-US Privacy Shield Framework for the transfer of personal data from the European Union to the U.S., in compliance with the requirements of the General Data Protection Regulation (GDPR), woke up to find out that the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield. Since the court’s decision in Schrems II is 64 pages long, here is a summary of what you need to know for now:
What did the court say?
|Privacy Shield is invalid.
- U.S. surveillance programs are not limited to what is strictly necessary and proportional as required by EU law on Fundamental Rights.
- EU data subjects do not have a right to effective legal remedies in the U.S. to ensure compliance with provisions of EU law when their data is used for national surveillance programs.
- The authorities of the EU Member States have insufficient powers and means to take effective action in relation to data subjects’ complaints based on allegedly unlawful processing in a third country.
|Standard Contractual Clauses are valid, with caveats.
- Standard Contractual Clauses (SCC) are inherently intended to provide contractual guarantees and thus cannot bind the public authorities of third countries.
- Companies must verify, on a case-by-case basis, whether the law in the recipient country ensures adequate protection for personal data transferred under SCC.
- “Adequate protection” requires the third country to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the EU.
- If adequate protection cannot be ensured:
- Companies must provide additional safeguards or end transfers.
- Supervising authority is required to suspend or prohibit transfer to third country.
- Data already transferred needs to be returned or destroyed.
|There is no applicable exception to the scope of GDPR under Article 2 for these types of transfers.
- The General Data Protection Regulation (GDPR) applies to the transfer of personal data for commercial purposes from the EU to a third country, regardless of whether that data would be further processed by the authority of the third country for surveillance programs or national security reasons.
What should I do?
Unless your company is in one of the countries with an adequacy decision, or the U.S. and EU decide to renegotiate a new version of Privacy Shield that gives EU data subjects stronger privacy rights under U.S. surveillance laws, here are your options:
|Do you use Privacy Shield for transfers from the EU to the U.S.?
- As soon as possible, find an alternative legal basis to enable transfers of GDPR-protected data to the U.S. like SCCs, Binding Corporate Rules, approved code of conduct, or derogations for specific situations.
- If you have negotiated Article 28 Data Processing Addendums or agreements that require the parties to execute the SCCs if the Privacy Shield is declared invalid, begin the process of reaching out and getting those clauses in place.
|Do you use SCC for transfers from the EU to the U.S. (or any other country without an adequate level of protection)?
- Although the SCCs may be at risk for a similar determination by European regulators, for now they remain a valid transfer mechanism.
- Review the data importer’s technical and security measures specified in Appendix to the SCC and consider whether additional measures should be specified to strengthen security, like tokenization and encryption.
The decision has had the unfortunate effect of leaving thousands of companies who rely exclusively on Privacy Shield for transfers of data into the U.S. in legal limbo. The U.S. has said that it will work with European regulators to limit the negative consequences of the decision. However, given the current state of U.S. data surveillance laws, which permit government access to data in certain circumstances, it is unclear how the U.S. and the EU can move forward to establish rules to which both sides can agree.
For more information please contact Victoria Beckman, Melissa Kern or any attorney in Frost Brown Todd’s Privacy and Data Security practice group.
 Privacy Shield enabled U.S. based organizations to voluntarily self-certify and register with the Department of Commerce that they are making the public commitment to comply with the framework’s requirements. This commitment is enforceable under U.S. law. Participating organizations are further required re-certify on an annual basis.
 The European Commission has recognized Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay as providing adequate protection.