After years of uncertainty, the fate of the EU-U.S. Privacy Shield (“Shield”) has finally been determined. On July 16th, the EU’s highest court, the Court of Justice of the European Union (CJEU), declared the Shield to be invalid as a lawful mechanism for transferring the personal data of EU residents to the U.S.
This decision impacts thousands of U.S. companies receiving data from the EU, who, until now, relied on the Shield’s self-certification process to validate their operations, including such industry titans as Amazon, Google and Facebook. (A full list of Privacy Shield-certified companies can be found here). Managed in the U.S. by the Department of Commerce, the Shield allowed U.S. companies to keep their data processing activities under the watchful eye of U.S. regulators as opposed to that of the EU’s national supervisory authorities. However, in light of the CJEU’s decision, this is no longer the case.
So, where do we go from here? Shield-certified companies now must choose a different EU-approved mechanism for validating the transfer of EU personal data to the U.S.
Alternative Mechanisms for Validating Transfers
Under Article 46 of the GDPR, other mechanisms for validating data transfers outside of EU borders include the following:
- Binding Corporate Rules (BCRs), a set of EU-vetted and legally enforceable rules for the processing of personal data when personal data is transferred between members of a corporate group or group of enterprises engaged in joint economic activity;
- Transfers to a select group of countries deemed “adequate” by the Commission (of which the United States is not one) on the basis that they offer a level of protection to personal data that is similar to EU protections; or
- European Commission’s Standard Contractual Clauses (SCC), a set of non-negotiable contract provisions which contractually bind the data importer to process EU data in accordance with the law of the EU Member State in which the data exporter is established. The SCCs (or “Model Clauses”) exist in two forms: (a) those governing international transfers between a data controller (also known as “data exporter”) based in the EU and a data processor (also known as “data importer”) based outside of the EU, and (b) those applicable to international transfers between EU-based data controllers and non-EU-based data controllers (such as in the case of corporate affiliates).
Standard Contractual Clauses – the next best option
It is likely that most U.S. companies who built their compliance programs upon the Shield’s self-certification process will now turn to the EU Commission’s SCCs for validating their data processing activities in the U.S. The clauses are convenient in terms of eliminating regulatory filings of any kind. That said, they do require companies to verify that appropriate safeguards exist (from the point of collection in the EU to the destination country) to protect an individual’s personal data. Further, final authority on the sufficiency of such safeguards will be left in the hands of EU data protection authorities, not the U.S. Department of Commerce. The SCCs will also require that U.S.-based data importers be familiar with EU data protection laws, including the data protection laws of each EU Member States from which the data is collected for processing in the U.S.
If your business is impacted by this recent CJEU ruling – whether your organization is a self-certified Shield entity or it shares EU personal data with a 3rd party vendor or other 3rd party that is Shield-certified – our team of privacy attorneys, which includes dual U.S.- and EU-qualified counsel, can assist with evaluating your options and developing a compliance plan for your international transfers of data that will simultaneously meet the requirements of both U.S and EU laws. For more information, please contact Stephan Grynwajc at [email protected] or 347-543-3035.
Stephan Grynwajc served as a senior in-house attorney for several blue-chip technology corporations (e.g., Intel and Symantec) in France, the U.K. and the U.S., and today, focuses his practice on advising U.S.-based clients on navigating the EU privacy landscape. [email protected]
This publication should not be construed as legal advice or a legal opinion on any specific facts or circumstances not an offer to represent you. It is not intended to create, and receipt does not constitute, an attorney-client relationship. The contents are intended for general informational purposes only, and you are urged to consult your attorney concerning any particular situation and any specific legal questions you may have. Pursuant to applicable rules of professional conduct, portions of this publication may constitute Attorney Advertising.