The July 20 decision of the Court of Justice of the European Union in Data Protection Commissioner vs. Facebook Ireland and Maximillian Schrems (Case C-311/18) invalidated the EU-US Privacy Shield framework that had been relied on by more than 5,000 US companies to avoid cumbersome data-privacy contracting requirements governing data transfers from the European Union.
Companies that participated in the Privacy Shield or considered participating should revisit their international data-processing agreements or execute new agreements to ensure compliance with the GDPR.
The EU General Data Protection Regulation (GDPR) states that EU data processors and controllers may not transfer personal data outside the European Union unless the receiving party’s country ensures an adequate level of data-privacy protections. Protections are adequate if the receiving country’s domestic law or international commitments provide safeguards similar to those imposed by the GDPR within the European Union. If the receiving party’s country doesn’t have adequate laws or treaties in place, personal data can be transferred outside the European Union only if the individual data exporter has a contract with the data recipient that includes sufficient data protection clauses, including standard clauses adopted by the European Commission. A data exporter or recipient that engages in a transfer without the appropriate legal or contractual safeguards is subject to an enforcement action by the European Commission and substantial penalties.
To satisfy the GDPR legal adequacy requirement—and avoid the significant transactional costs associated with establishing satisfactory contracts between EU data exporters and US data recipients—the US Department of Commerce and the European Commission established the EU-US Privacy Shield framework. Administered by the International Trade Administration within the US Department of Commerce, the Privacy Shield establishes a number of data-privacy principles and requirements that have been accepted as adequate by the European Commission.
To join the Privacy Shield framework and benefit from the adequacy determination, a US-based organization is required to self-certify to the Department of Commerce and publicly commit to comply with the framework’s privacy requirements. While joining the Privacy Shield is voluntary, once an eligible organization makes the public commitment to comply with the framework’s requirements, the commitment is enforceable under US law, and participants who fail to satisfy their obligations are subject to enforcement actions by the Federal Trade Commission.
On July 16, the Court of Justice of the European Union issued a judgment in the Schrems case declaring the Privacy Shield invalid. The court based its decision in large part on its evaluation of US government surveillance laws. According to the court, US law didn’t provide the level of control over use of personal data by public authorities that’s imposed by the GDPR. Consequently, the provisions of the Privacy Shield weren’t adequate to satisfy GDPR requirements.
As a result of the decision, the Privacy Shield framework is no longer a valid mechanism to comply with EU data-protection requirements when transferring personal data from the European Union to the United States. The court didn’t provide for any grace period during which companies can continue transferring data to the United States without a contractual basis for the transfer.
Now that the Privacy Shield has been invalidated, companies transferring personal data from the European Union to the United States (other than transfers within related multinational entities) can only do so pursuant to a contract containing appropriate data-protection clauses, including the standard contractual clauses (SCCs) approved by the European Commission. SCCs include definitions of key terms and language governing the obligations of the data importer and exporter, liability, third-party rights, choice of law, and dispute resolution.
Companies who participated in the Privacy Shield or considered participation to efficiently transfer data from Europe to the United States should revisit their international data-processing agreements to ensure compliance with the GDPR. Barclay Damon’s attorneys can assist by reviewing existing agreements or drafting new contracts to govern international data transfers.
If you have any questions regarding the content of this alert, please contact Charlie von Simson, of counsel, at cvonsimson@barclaydamon.com or another member of the firm’s Cybersecurity Team.