European Court of Justice Invalidates the EU-US Privacy Shield
On 16 July 2020, the Court of Justice (CJEU) of the European Union (EU), Europe’s top court, released its much-anticipated “Schrems II ruling” which effectively invalidated the EU-US Privacy Shield. The Privacy Shield is a framework that enabled transatlantic data transfers, from the EU to the U.S., under the EU law where companies self-certified to note that they were adhering to the Privacy Shield principles. The invalidation of the Privacy Shield was not a complete surprise given the EU’s resistance towards accepting U.S.’ ability to undertake surveillance on U.S. and non-U.S. citizens’ data.
The invalidation of the Privacy Shield means that companies that relied on this framework as their primary safeguard to transfer data to the U.S. will now need to revisit their data transfer arrangements, as compliance with the Privacy Shield is no longer a legal basis for the transfer of data from the EU. Binding corporate rules (BCRs), derogations for specific situations and Standard Contractual Clauses (SCC) are available as options, with SCCs likely being the most feasible for many organisations.
This decision has not ruled out SCCs, but it is expected that Data Protection Authorities (DPA) will pay closer attention to these standard agreements to confirm that appropriate additional clauses are included with respect to local privacy laws to ensure adequate protection over EU data. This means that SCCs without consideration of local law may not be a valid mechanism to transfer EU data. Further, pursuant to the judgement, companies must now demonstrate their compliance with these clauses, as such accurate and complete recordkeeping will be essential.
In Europe, this decision will impact thousands of companies ranging from global conglomerates to Small to Medium Enterprises (SME). For Asia-Pacific (APAC) organisations, this landmark decision will have an impact if they: have European operations/domiciled in the EU or serve products and services to EU customers, and also if this data is transferred to or hosted in third countries (e.g. US or other non-EU countries without the adequacy decision). A common example is a cloud software (Software as a Service company) based in APAC, serving EU customers, with the data being stored in a US cloud hosting provider.
CJEU did not stipulate a grace period, rendering this decision to be effective from the judgement date (16 July 2020). There are also no clear timelines when DPAs will issue guidance for what companies should do in order to maintain compliance with EU-US data transfers. Given this lack of clarity, APAC organisations that fall under the criteria mentioned above will be searching for answers – especially with the hefty penalties that the GDPR can impose.
With this in mind, Protiviti has developed some high-level guidelines for organisations to consider if this decision has impacted your organisation. It is important to keep in mind that this decision only relates to personal data of EU citizens; however, as noted above this is still relevant to many APAC based organisations.
What you can do immediately
- Assess how this decision affects your European operations and data transfers in consultation with your privacy, IT, security, legal and compliance teams as well as your vendors charged with data processing and/or hosting.
- Review whether you are processing or holding significant volumes of personal data of EU individuals (e.g. citizens, residents, customers, employees, business partners), what the data is used for, where it is stored and what protections apply to it.
- Risk assess current data transfers on a case-by-case basis and assess whether the importing country has adequate privacy protections for the type of data being transferred.
- As a data importer or exporter, confirm whether your organisation or third parties relied on the Privacy Shield to legitimise the transfer - https://www.privacyshield.gov/list. If yes, consider whether SCCs or BCRs could be adopted, or derogations for specific situations apply such as obtaining explicit consent from data subjects. While BCRs can be a costly and lengthy process, these can be a good long-term option for multinational companies that need to transfer personal data from the European Economic Area (EEA) to their affiliates located outside of the EEA.
- If you already had SCCs in place, these should be re-assessed and supplemented with further data protection clauses depending on the adequacy of the third country’s data privacy laws. If the third country’s data privacy laws are inadequate, then the controller has a legal obligation to suspend the transfer and inform the data subject.
- Assess whether your EU data falls under U.S. surveillance laws. This is most likely if you are a technology provider that falls under Foreign Intelligence Surveillance Act (FISA) 702 – rendering SCCs ineffectual.
- Continue to monitor further guidance and direction from relevant DPAs on the Privacy Shield invalidation.
Longer term actions
- If you self-certified compliance with the Privacy Shield principles, you must continue to comply, as the framework remains enforceable in the U.S.
- Review data security arrangements to explore whether data transfers have appropriate technical security controls to provide additional protection (e.g. data encryption where possible).
- Revise record keeping practices to ensure that adequate evidence is maintained to demonstrate compliance with data protection laws – e.g. risk assessments over data transfers, revision and updates to SCCs.
- Review data processing and storage requirements to assess whether it is practical to move away from U.S. data transfers and transition to regional data processing or to a country with a favourable adequacy decision (e.g. New Zealand, Japan). This may create additional risks and obligations that need to be managed.
Protiviti’s subject matter experts continue to support and provide guidance around privacy and security related challenges. To learn more about Protiviti’s services relating to privacy, please visit our Data Security & Privacy Management webpage.