More than 5,300 companies in the United States using the EU-US Privacy Shield Framework for the transfer of personal data from the European Union to the U.S., in compliance with the requirements of the General Data Protection Regulation (GDPR), woke up to find out that the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield.[1] Since the court’s decision in Schrems II is 64 pages long, here is a summary of what you need to know for now:
What did the court say?
Privacy Shield is invalid.
|
|
Standard Contractual Clauses are valid, with caveats.
|
|
There is no applicable exception to the scope of GDPR under Article 2 for these types of transfers. |
|
What should I do?
Unless your company is in one of the countries with an adequacy decision,[2] or the U.S. and EU decide to renegotiate a new version of Privacy Shield that gives EU data subjects stronger privacy rights under U.S. surveillance laws, here are your options:
Do you use Privacy Shield for transfers from the EU to the U.S.? |
|
Do you use SCC for transfers from the EU to the U.S. (or any other country without an adequate level of protection)? |
|
The decision has had the unfortunate effect of leaving thousands of companies who rely exclusively on Privacy Shield for transfers of data into the U.S. in legal limbo. The U.S. has said that it will work with European regulators to limit the negative consequences of the decision. However, given the current state of U.S. data surveillance laws, which permit government access to data in certain circumstances, it is unclear how the U.S. and the EU can move forward to establish rules to which both sides can agree.
For more information please contact Victoria Beckman, Melissa Kern or any attorney in Frost Brown Todd’s Privacy and Data Security practice group.
[1] Privacy Shield enabled U.S. based organizations to voluntarily self-certify and register with the Department of Commerce that they are making the public commitment to comply with the framework’s requirements. This commitment is enforceable under U.S. law. Participating organizations are further required re-certify on an annual basis.
[2] The European Commission has recognized Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay as providing adequate protection.