If your company does business in the EU or the European Economic Area (“EEA”) and transfers personal data back to the United States under the EU-U.S. Privacy Shield Framework, now is the time to revisit your contracts to ensure that you have an alternate legal mechanism for transferring personal data outside of the EU and EEA.
On July 16, 2020, the Court of Justice for the European Union (“CJEU”) invalidated the adequacy decision that enabled the EU-U.S. Privacy Shield Framework. This action eliminated one of the methods relied upon by companies to conduct trans-Atlantic business in compliance with the EU’s data protection rules. The Framework was invalidated because it does not guarantee sufficient protections for the rights of EU and EEA residents under the EU’s General Data Protection Regulation (“GDPR”) and the EU Charter on Fundamental Rights, nor does it offer sufficient judicial redress for violations of those rights – all concerns stemming from a lack of protection for the personal data of EU and EEA residents from interception by U.S. surveillance programs.
Functionally, this means that businesses that previously conducted trans-Atlantic trade and transferred personal data under the Privacy Shield Framework will now need to use an alternate mechanism to legally transfer information outside of the EU and EEA. The decision, commonly known as “Schrems II,” reaffirmed the validity of the European Commission’s Standard Contractual Clauses, but left open the door for their future invalidation. In its decision, the CJEU stated that companies must verify on a case-by-case basis whether the local laws ensure adequate protections for the privacy rights of EU and EEA residents. Where those laws are insufficient, companies must provide additional safeguards, such as encryption of the personal data being transferred, or suspend transfers from the EU and EEA.
Companies relying on the Privacy Shield Framework should now adopt an alternative legal basis for transfers outside of the EU and EEA, but must also remember that their existing commitments to the Privacy Shield Framework remain enforceable by the U.S. Federal Trade Commission. All companies conducting trans-Atlantic trade should review whether they have properly executed the Standard Contractual Clauses or another cross-border transfer method as part of their GDPR-covered agreements. If they have been improperly executed, companies need to put in place a legal transfer mechanism such as the Standard Contractual Clauses or a Data Protection Authority-approved set of binding corporate rules to comply with their obligations under the GDPR. Without directly highlighting it, the Schrems II decision also concluded that data transfers to the U.S. by way of undersea cable (a primary method of transfer) are susceptible to access by U.S. intelligence programs. Companies will also need to implement additional procedures to ensure the protection of personal data transferred from the EU or EEA and to ensure the legality of their trans-Atlantic data transfers.
As more guidance becomes available, the team at Protorae Law will continue to provide updates. If you have questions about how to use the Standard Contractual Clauses or your other options for legal trans-Atlantic data transfers, please contact us.