Today, the Court of Justice of the European Union (CJEU) issued a ruling that will require all U.S. organizations that receive personal data from the EU to examine their cross-border transfer arrangements. The court invalidated the EU-U.S. Privacy Shield program. And while the CJEU did not invalidate standard contractual clauses (SCCs), which is another popular arrangement, its decision raises questions as to whether SCCs can be used generally or in any particular case for data transfers to the U.S. going forward.
Today’s decision comes in the case Data Protection Commissioner v Facebook Ireland and Maximillian Schrems. The case involves a complaint by Max Schrems that Facebook should not be permitted to transfer his data to the U.S. for processing because the U.S. does not offer sufficient protection of data. A central issue in the court’s ruling was a determination that data sent to the U.S. may be subject to surveillance by U.S. authorities under laws that do not give EU data subjects any rights or remedies.
If you have relied upon the Privacy Shield program, you need to start planning for an alternative cross-border transfer mechanism. Although the Privacy Shield program is immediately invalidated, we expect that data protection authorities in the EU will allow data exporters time to transition. You could consider SCCs, binding corporate rules or some of the derogations in GDPR Article 49. But also keep in mind that your Privacy Shield certification is still subject to enforcement in the U.S. Even if you withdraw from the Privacy Shield program, all data that you collected while certified under the Privacy Shield program remains subject to Privacy Shield requirements for so long as you maintain that data.
If you rely upon SCCs to import data from the EU, the ruling requires you to evaluate not only the contractual promises between you and the EU data exporter, but also the relevant laws that may give U.S. governmental authorities access to the personal data, the legal rights and remedies that EU data subjects have under these laws, and whether there are any additional protections you can put in place to protect data subjects’ rights. If you cannot adequately protect data subjects’ rights, then SCCs may not be the right cross-border mechanism for you. In that case, you should consider whether there are derogations in GDPR Article 49 that may still allow you to import the data, such as explicit consent or transfers that are necessary for the performance of a contract.
This ruling did not consider binding corporate rules, but going forward we anticipate that those arrangements may be scrutinized in the same way as SCCs. Warner’s cybersecurity and privacy team is here to help and will continue to monitor developments on this issue. Please reach out to Norbert Kugele, Kelly Hollingsworth, Alexandra Chitwood, Lexi Woods or any other member of our Cybersecurity and Privacy Practice Group if you need assistance.