By: Kevin Levy and Drew Haggard
The EU-U.S. Privacy Shield (Privacy Shield) will no longer provide more than 5,000 companies with a legal means to transfer personal data from the EU to the U.S., following a compelling decision by the Court of Justice of the European Union (Court) on July 16, 2020. If your company is relying on the Privacy Shield to transfer personal data from the EU to the U.S., you need to immediately put in place another legal means of transferring such personal data or risk being in violation of the General Data Protection Regulation 2016/679 (commonly referred to as GDPR), as well as potentially in breach of contractual requirements with vendors, customers and other third parties, which could include the risk of providing indemnification.
What was the EU-U.S. Privacy Shield?
The Privacy Shield was a self-certification program developed in 2016 through the collaboration of the U.S. Department of Commerce and the European Commission. Due to more stringent data protections in the EU than in the U.S., the Privacy Shield provided U.S. based companies with an EU recognized framework to comply with EU data protection requirements. The Privacy Shield was enforced in the U.S. by the U.S. Federal Trade Commission (FTC) and the U.S. Department of Transportation (DOT).
Why does the Court’s decision matter?
Prior to the decision, there were two practical mechanisms available for U.S. based companies to legally transfer personal data out of the EU and into the U.S.: (1) self-certification under the Privacy Shield; or (2) including the European Commission approved Standard Contractual Clauses (Standard Contractual Clauses) in contracts pursuant to which such transfers took place. Following the Court’s decision, there is now only one practical mechanism available for U.S. based companies to legally transfer personal data out of the EU and into the U.S. – proper use of the Standard Contractual Clauses.
The Court also considered whether to abolish the Standard Contractual Clauses, but the decision specifically left in place a prior European Commission decision implementing the Standard Contractual Clauses as a legal means of transferring personal data from the EU to the U.S. because the Standard Contractual Clauses are more in-line with the EU’s current view on data protection. This part of the decision is important not only because it affirms one of the practical means for the continued transfer of personal data from the EU to the U.S., but it also indicates that the EU (at least through the EU’s highest court) is largely relying on commercial, contractual relationships for the protection of such data transfers.
However, as a result of the decision, any company which has relied solely on the Privacy Shield for transfers of personal data from the EU to the U.S. must now review all vendor, customer and other third party relationships where such transfers are involved to properly incorporate the Standard Contractual Clauses into such relationship to avoid prosecution and fines from the EU, as well as potential breach of contract concerns. Companies and their counsel should also be on the lookout for references to the Privacy Shield in current form contracts and future contracts, and replace those references with the proper use of the Standard Contractual Clauses.
What to watch for next:
The decision from the Court came as a bit of a shock to many in the U.S. (especially the FTC, DOT and those companies relying exclusively on the Privacy Shield), as well as many EU businesses which are involved in the transfer of personal data to the U.S. Given the far reaching and potentially immediate implications of the decision (the Court is the highest court in the EU from which there is no appeal), officials from both the U.S. and EU have expressed a desire to meet and work towards an updated or new mechanism to replace the Privacy Shield, as well as a grace period for U.S. based companies to adjust compliance efforts. Based on the history of similar decisions, such a request is likely, but not guaranteed, to be granted by the EU.
What to do next:
As it is unlikely there will be a final resolution any time soon regarding the use of an updated or replacement to the Privacy Shield, U.S. companies, as well as EU companies, should immediately review any contracts, processes and procedures which involve the transfer of personal data from the EU to the U.S. and promptly consult with knowledgeable data privacy and security counsel to ensure proper reliance on the Standard Contractual Clauses is included in all such contracts, processes and procedures.
Published in the July 22, 2020 issue of the Daily Business Review.
 Judgment of the Court (Grand Chamber) of 16 July 2020, Case C-311/18. Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (also known as Schrems II). http://curia.europa.eu/juris/document/document.jsf;jsessionid=24D3CF01F192EEA430749BB291E4570F?text=&docid=228677&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=9841027.