On July 16, 2020, the Court of Justice of the European Union (CJEU) ruled that the EU-U.S. Privacy Shield Framework, designed by the U.S. Department of Commerce and the European Commission, is no longer valid for transferring the personal data of European citizens and residents out of the EU to the U.S.
The General Data Protection Regulation (GDPR), which went into enforcement in May of 2018, sets forth the principles and requirements for how personal data of Europeans can be used or processed by organizations, requires that data transferred outside of the EU must have a valid mechanism to support its transfer. While some countries have been deemed to have adequacy by the European Commission based upon their own national data protection laws, the U.S. has not. For this reason, many organizations in the U.S. have relied on Privacy Shield, an agreement between the EU and U.S., which grants adequacy to U.S. organizations that adopted the Privacy Shield Framework and Principles and self-certified to their compliance for processing European data.
The July 16 ruling came out of the Schrems II Case and simply stated that Privacy Shield does not provide adequate protections to EU citizen or resident personal data due to U.S. authorities use and access to that data through surveillance and other U.S. governmental practices. This decision has left over 5,000 active Privacy Shield participants having to rely upon another mechanism for cross-border transfers, such as Standard Contractual Clauses (SCCs), to be GDPR compliant. Fortunately, for these organizations, the Court upheld SCCs; however, organizations must now also take into consideration relevant aspects of the legal system where the data will be transferred. The ruling also seems to have left the door open for the SCCs to be revised in the near future.
The ruling has been an earthquake in the data privacy world leaving organizations scrambling to determine the impact and next steps, and furthering the calls for U.S. surveillance reform or a U.S. national data privacy law similar to the GDPR.
What should U.S. organizations do right now?
If your organization processes the personal data of Europeans as either a data controller or a data processor, and you are Privacy Shield self-certified, the advice out of the UK’s Information Commissioner’s Office (ICO) is to maintain your Privacy Shield certification and obligations. It must be noted, if you choose to leave Privacy Shield, there is a required process and you may find it more of a challenge than its worth.
If your organization is not currently Privacy Shield self-certified and you process the personal data of Europeans, now is not the time to begin the process according to the ICO.
Regardless of whether you are Privacy Shield self-certified, or if you are a data processor or data controller, now is the time to refer to your records for processing documentation (you did create records of the processing documentation as required by Article 30 of the GDPR, right?), and evaluate the mechanisms you rely upon for processing European data. You should ensure your contracts have the GDPR SCCs in place and if not, work with your data controllers or data processors to sign data processing agreements.
You may find that savvy or apprehensive EU-based organizations, and even individuals, are going to ask questions about your organization’s transfer mechanisms, Privacy Shield status and data processing activities. Once your organization has established its mechanisms, develop a statement that explains what mechanisms you rely upon. Do so in a clear and concise manner so that the organizations and individuals with whom you interact feel confident you are protecting their personal data appropriately and lawfully. Remember, nothing breeds concern like ambiguity, confusion and inconsistency.
Data privacy is a complex and continually evolving issue. We are here to help. For more information or help with data privacy at your organization, contact our team.