This will have far-reaching impacts on companies on both sides of the pond. Those who relied on the Privacy Shield to transfer personal data must find an alternative method or stop. This will be extremely problematic for companies that work across both jurisdictions, who must transfer personal data for their company to function.
What was the Privacy Shield?
Companies can transfer personal data to other countries where there is at least an equal measure of data protection as directed by EU law. Companies can legally transfer data when the EU has determined that a third country has adequate measures in place. Due to substandard data protection and privacy laws, the US has not passed this test. So, the EU and the US produced the Privacy Shield Framework. This framework carved out a legal path by which the personal data of EU citizens could be transferred between the EU and the US, so long as those US companies enrolled in the Privacy Shield Framework complied with the data protection obligations imposed upon them.
Why did the CJEU invalidate the Privacy Shield?
The CJEU determined that US National Security law does not sufficiently protect EU citizens’ personal data. US surveillance laws allow the government to access more personal data than is strictly necessary. In short, the US government can snoop to a degree that does not align well with EU law. Hence, the Privacy Shield Framework does not sufficiently protect the personal data transferred under it.
Standard Contractual Clauses – what are they?
SCCs are standard clauses published by the European Commission or by a member state Supervisory Authority. They offer sufficient safeguards on data protection to allow personal data to be transferred outside of the EU. Although the CJEU endorsed the use of SCCs, moving forward, it made clear that parties have an obligation to ensure that the laws in the recipient country are sufficient to protect EU personal data. If the guarantees of the SCCs are not upheld, then personal data transfers with that company must be suspended.
What should companies do now?
Companies that transfer personal data to the US must ensure they continue to do so lawfully. Where a company has previously relied on Privacy Shield certification, it must implement a new transfer mechanism as an SCC. Still, where required, it must consider additional supplemental contractual safeguards that go above the standard SCCs.
To avoid falling foul of the Information Commissioners Office (ICO), companies must assess whether their data privacy safeguards are sufficient and ensure those of any company outside of the EU with whom they have or intend to continue sharing EU citizens’ personal data affords an equivalent protection guaranteed within the EU under GDPR legislation.
This is a complicated area of cross-border data protection law. Companies should seek advice from a lawyer to ensure compliance with EU law.
Speak to Karen Cole today, who can review your existing contracts and practices to ensure your company complies.
Note: This is not legal advice; it provides information of general interest on a current legal issue.