This past July in the landmark Schrems II decision the Court of Justice of European Union (CJEU) has struck down the European Union – United States Privacy Shield Framework (EU – US Privacy Shield) and declared it invalid. The EU-US Privacy Shield is a personal data transfer mechanism pursuant to which personal data of natural persons can be transferred by companies to the United States in compliance with General Data Protection Regulation (EU) 2016/679 (“GDPR”). The CJEU declared invalid the EU-US Privacy Shield on the basis that the limitations on the protection of personal data arising from the domestic US law on the access and use by US public authorities of such data transferred from the European Union to US, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary. Therefore, neither the US national security laws nor the EU-US Privacy Shield provide enforceable rights and effective legal remedies for European data subjects.
Upholding the Standard Contractual Clauses
Pursuant to this invalidation, businesses that wish to transfer personal data from the European Economic Area (“EEA”) to the US must now use other transfer mechanisms, such as the Standard Contractual Clauses (“SCCs”). In the absence of an EU Commission adequacy decision, the SCCs can be used as a legal framework pursuant to which personal data can be safely transferred to processors located in third countries. In the same decision, the CJEU confirmed that the EU Commission’s decision 2010/87/EC on SCCs remains valid.
Failure to comply with GDPR
Failure to comply with GDPR for organisations that transfer personal data between EAA and US organisations will result in a fine. This fine can be up to 20 million euros, or in the case of an undertaking, up to 4% of their total global turnover of the preceding fiscal year, whichever is higher. As a result of the invalidation of the EU-US Privacy Shield adequacy determination, this leaves exposed to hefty fines many organisations that relied on the EU-US Privacy Shield to transfer personal data to US organisations
What can my business do?
It is of critical importance for all concerned persons and entities to assess immediately their current GDPR structure in relation to the transfer of personal data to the US. There is no grace period after which the EU-US Privacy Shield will be invalidated and it is valid as of the date of the declaration of its invalidation by the CJEU. Your business should determine the appropriate safeguards to employ for such transfer to US organisations, such as the SCCs and binding corporate rules on a case by case basis or other “derogations for specific situations” (Article 49 GDPR) so that transfers to US organisations may continue. These derogations may include consent, or any transfers necessary for the performance of a contract. The European Data Protection Board (“EDPB”) has emphasised that relying on derogations under Article 49 GDRP should not become a rule in practice and that data exporters should first endeavour possibilities to frame the transfer with one of the mechanisms included in Articles 45 and 46 GDPR, and only in their absence use the derogations provided in Article 49 (1) GDPR, with the transfer being restricted to situations which are very specific and strictly essential. The EDPB’s extensive guidance on the application of the derogations can be viewed here.
Companies may also implement technical measures to enhance compliance with GDPR, including increased used of data encryption, and physical storage of data in EEA instead of the US.
Additionally, privacy policies many need to be amended in order to state that more methods for transfer of personal data to US organisations are used than just the EU-US Privacy Shield. The Department of Commerce of the US has mentioned that the CJEU decision “does not relieve participants in the EU-US Privacy Shield of their obligations”. Therefore, companies that are certified under the EU-US Privacy Shield program should continue to comply with their EU-US Privacy Shield obligations in order to minimise risk under US laws.
Conclusion
The Schrems II judgement ushers into a new era the transfer pf personal data from EEA to the United States. The EDPB has announced that additional guidance and clarifications will be provided on what supplementary measures can be established in addition to SCCS and binding corporate rules if the transfer of personal data to third countries is not sufficiently protected by SCCs or binding corporate rules. In the meantime, businesses should engage into an in-depth review of their data privacy policies to mitigate any compliance risk. For more information on how to review and assess your organisation’s current and future personal data transfers to the United States, please feel free to contact us.
DISCLAIMER:
PARIS MAVRONICHIS & CO LLC accept no duty of care or liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication.
The material contained herein is provided for informational purposes only and does not constitute legal advice nor is it a substitute for obtaining legal advice from an advocate. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced advocate. PARIS MAVRONICHIS & CO LLC will be glad to assist you in this respect.
