Companies have a new puzzle to solve.
First, stay cool. We will figure this out and find a way through! We are all in the same boat and as with all matters of complicated data protection law, compliance is doable. Here is a quick update on the decision.
In the much-anticipated opinion from the Court of Justice of the European Union in “Schrems II”, the EU-US Privacy Shield was invalidated based on its failure to adequately address US government surveillance activities. Importantly, the Court upheld the use of Standard Contractual Clauses for transfers but emphasized that the parties are under an obligation to ensure that the laws in the recipient country are sufficient. This requires a case by case analysis to ensure that “that data subjects must be afforded appropriate safeguards, enforceable rights and effective legal remedies.” The Court also states that supervisory authorities will need to enforce the clauses (and suspend transfers) if it is not possible to offer sufficient data protection in the third country. Arguably this calls into question the ability to transfer data to the U.S.
There will be a lot to digest in the days and weeks to come. We will figure this out and there is an international commitment to find a solution. Notably, the European Commission issued a statement affirming its commitment to working with its American counterparts to address the impact of the decision and emphasized that it is working intensively to modernize the Standard Contractual Clauses.
That said, there is exposure and if you haven’t reviewed the strength of your internal privacy program and especially your record-keeping, now is the time. Are you able to demonstrate that you have contracts in place and that you have assessed that there is adequate protection?
For now, please note that if you have Privacy Shield, those commitments are still enforceable by the Department of Commerce. This was made clear in a press release issued this morning.
Please join the International Association of Privacy Professionals which will be providing a live broadcast tomorrow discussing this decision in length.
Ask us how how we can help you find a way through this new puzzle and support your ability to continue lawful transfers of data from the EU to the US.