Careers

Experiences

Industries

Offices

Our Firm

Pages

Our People

Updates

Practices

Warner Norcross + Judd LLP is a corporate law firm with over 230 attorneys serving clients in nine offices throughout Michigan. Among the largest law firms in Michigan, Warner works in virtually all areas of business law.

Michigan Law Firm - Warner Norcross + Judd LLP

Today, the Court of Justice of the European Union (CJEU) issued a ruling that will require all U.S. organizations that receive personal data from the EU to examine their cross-border transfer arrangements. The court invalidated the EU-U.S. Privacy Shield program. And while the CJEU did not invalidate standard contractual clauses (SCCs), which is another popular arrangement, its decision raises questions as to whether SCCs can be used generally or in any particular case for data transfers to the U.S. going forward.&nbsp;

contentpilot/introduction

Today’s decision comes in the case&nbsp;Data Protection Commissioner v Facebook Ireland and Maximillian Schrems. The case involves a complaint by Max Schrems that Facebook should not be permitted to transfer his data to the U.S. for processing because the U.S. does not offer sufficient protection of data. A central issue in the court’s ruling was a determination that data sent to the U.S. may be subject to surveillance by U.S. authorities under laws that do not give EU data subjects any rights or remedies.&nbsp;

core/paragraph

If you have relied upon the Privacy Shield program, you need to start planning for an alternative cross-border transfer mechanism. Although the Privacy Shield program is immediately invalidated, we expect that data protection authorities in the EU will allow data exporters time to transition. You could consider SCCs, binding corporate rules or some of the derogations in GDPR Article 49. But also keep in mind that your Privacy Shield certification is still subject to enforcement in the U.S. Even if you withdraw from the Privacy Shield program, all data that you collected while certified under the Privacy Shield program remains subject to Privacy Shield requirements for so long as you maintain that data.&nbsp;

If you rely upon SCCs to import data from the EU, the ruling requires you to evaluate not only the contractual promises between you and the EU data exporter, but also the relevant laws that may give U.S. governmental authorities access to the personal data, the legal rights and remedies that EU data subjects have under these laws, and whether there are any additional protections you can put in place to protect data subjects’ rights. If you cannot adequately protect data subjects’ rights, then SCCs may not be the right cross-border mechanism for you. In that case, you should consider whether there are derogations in GDPR Article 49 that may still allow you to import the data, such as explicit consent or transfers that are necessary for the performance of a contract.&nbsp;

This ruling did not consider binding corporate rules, but going forward we anticipate that those arrangements may be scrutinized in the same way as SCCs.&nbsp;Warner’s cybersecurity and privacy team is here to help and will continue to monitor developments on this issue. Please reach out to&nbsp;<a href="http://wnj.com/people/norbert-f-kugele" target="_blank" rel="noreferrer noopener">Norbert Kugele</a>,&nbsp;<a href="http://wnj.com/people/kelly-r-hollingsworth" target="_blank" rel="noreferrer noopener">Kelly Hollingsworth</a>,&nbsp;Alexandra Chitwood,&nbsp;Lexi Woods&nbsp;or any other member of our Cybersecurity and Privacy Practice Group if you need assistance.

Associate

Alexandra E. “Alex” Haywood

Partner

Kelly R. Hollingsworth

Of Counsel

Norbert F. Kugele

Cybersecurity and Privacy

European Union Strikes Down Privacy Shield and Requires More Analysis for Standard Contractual Clauses

Warner Norcross + Judd LLP is responsible for the contents of our advertising and this website. Please read our full <a href="/privacy-policy/" aria-label="see privacy policy">privacy policy</a> available on our website. If you have any questions or comments about our website or our Privacy Policy please contact us at <a href="mailto:info@wnj.com">info@wnj.com</a> or 616.752.2000.

European Union Strikes Down Privacy Shield and Requires More Analysis for Standard Contractual Clauses

professionals