On July 16, the Court of Justice of the European Union (“CJEU”) invalidated the Privacy Shield, one of the primary mechanisms used by U.S. companies to lawfully transfer personal data outside of the European Union under the GDPR. Despite a prior adequacy determination in 2016, the CJEU found that shortcomings in the Privacy Shield, particularly U.S. security and surveillance laws and an ineffective Ombudsperson program, resulted in a failure to provide essentially equivalent protections to those afforded to individuals within the European Union.
The U.S. Department of Commerce has stated its intent to continue to enforce the Privacy Shield with respect to its participants and to remain in close contact with the European Union Data Protection Board and European Commission to address the ongoing flow of data from the European Union.
“The Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. Today’s decision does not relieve participating organizations of their Privacy Shield obligations.”
The Privacy Shield is not the only mechanism which allowed for transfer of personal data from the European Union under the GDPR, and as such, companies will need to evaluate alternative mechanisms and safeguards which may still allow for transfer of personal data to the U.S. from the European Union. Although the CJEU found the Privacy Shield to be invalid, it ultimately determined that the Standard Contracts Clauses (“SCCs”), which had been adopted originally in relation to the GDPR’s predecessor, were still valid. However, it emphasized the SCCs would need to be examined on a case-by-case basis to ensure that safeguards and mechanisms could afford equivalent levels of protection for the data transfer in practice.
U.S. companies which actively transfer personal data from the European Union will need to carefully consider the impact the Privacy Shield invalidation will have on their organization.
- U.S. companies which relied solely upon the Privacy Shield will need to look to the SCCs or an alternative mechanism such as Binding Corporate Rules to authorize personal data transfers from the European Union. At the same time, participating Privacy Shield organizations will need to continue to comply with its requirements.
- Companies which have already been utilizing the SCCs or which will need to utilize them moving forward should conduct a risk assessment to determine whether and to what extent their existing safeguards and mechanisms would allow compliance with the SCCs and the GDPR and what additional safeguards may be necessary in order to provide the equivalent protections emphasized by the CJEU.
- At particular risk are companies subject to Section 702 of the Foreign Intelligence Surveillance Act (“FISA”) and Executive Order 12333. Guidance from the European Data Protection Board will be critical here for companies to understand what additional “safeguards” may be sufficient to allow for personal data transfers to the U.S.
- Companies should additionally look to their applicable European Union supervisory data protection authorities (“DPA”) for guidance on how they will treat personal data transfers moving forward. Some DPAs have already taken the position that the SCCs are or are likely to be equally unsuitable for data transfers to the U.S. (Germany DPAs), whereas others have stated their intent to more carefully examine the issue (Ireland, Denmark). Under the GDPR, DPAs have the authority to suspend or prohibit data transfers to third countries pursuant to SCCs if it is their belief that the clauses cannot be complied with and protection ensured by other means.
As there is no grace period afforded by the CJEU, companies will need to act quickly to assess the impact the Privacy Shield’s invalidation will have on their operations and data exports from the European Union. Additional guidance is expected to be forthcoming from the European Data Protection Board as well as updated SCCs to address the concerns of the CJEU.
