This post is for informational purposes only. Aptible is not a law firm, and this post is not legal advice. You should contact an attorney to obtain advice with respect to any particular issue or problem.
The Court of Justice of the European Union issued a ruling today determining that the EU-U.S. Privacy Shield certification does not meet the requirements of EU data protection law, and cannot be used as a basis to transfer data from the EU to the U.S..
Privacy Shield is widely used by U.S. businesses - the registration list includes more than 5,300 companies (link) of various sizes, from small firms to Microsoft.
Under the EU’s General Data Protection Regulation (GDPR), so-called “transfer mechanisms” provide legal safe harbors for data to flow freely from the EU to other countries, including the U.S. The Court’s decision means that U.S. firms doing business in the EU that involves the transfer of regulated personal information must either find alternative legal transfer mechanisms or cease data processing, including storage. This will affect companies with customers, prospective customers, employees, and contractors in the EU.
There are several other transfer mechanisms available under EU law, including the use of a boilerplate set of contracts called the Standard Contractual Clauses (SCC).
The Court of Justice punted on the validity of the SCCs, saying that while they could be valid in some cases, in cases where the laws of the third country to which the transfer is being made do not ensure an adequate level of protection they could also be invalid. Longterm, in SCCs it will be difficult to speak to the adequacy of US privacy law given what the Court of Justice has given their perspective on that subject in the ruling against Privacy Shield.
According to the IAPP Privacy Shield is a data flow agreement that enables companies to move data from the EU to the United States. While Privacy Shield was effectively killed, the court also said that the previous decision on Standard Contractual Clauses (SCC) is still valid, for now. Today's ruling means that companies who do business in the EU and bring customer data to the US will likely need to make dramatic changes or risk significant fines.
At this point companies have three options, and we’ll list them in order of (lowest to highest) potential impact on the business.
Option 1: Put Standard Contractual Clauses (SCC) in place
Many agreements between companies or companies and consumers used Privacy Shield to enable data transfer. Those agreements (if well written) likely had a fall back clause that automatically enabled SCC to govern data transfer in the event of Privacy Shield being invalidated. Another common contract variation required a manual signature to enable SCC to take effect in the event Privacy Shield was no longer applicable.
Main takeaway: Companies should consider reviewing their contracts and ensure that SCC is in place, and if not either get the signature or get an addendum signed to enable SCC as part of each customer agreement. If you're considering SCCs as a solution, consult a lawyer.
Option 2: Stop transferring data from the EU to the United States
Without Privacy Shield or Standard Contractual Clauses in place to create a data transfer agreement, businesses transferring data from the EU to the United States could face significant fines. Companies who are able to stop transferring data to the United States and simply operate in the EU, independently can avoid fines and also avoid reviewing and amending contracts. However, this may be difficult to enforce for many companies; employees in the United States who are accessing company tools and services with EU customer data could be considered as transferring data and subject to fines.
Main takeaway: Companies without agreements that include SCC should consider not transferring data to the United States to avoid potential fines.
Option 3: Cease business operations between US and the EU
An extreme and likely costly solution would be for American companies to stop doing business in the EU, and for EU companies to stop using American companies as vendors. This would only apply to companies who have data transfer as part of their business.
Main takeaway: Companies without agreements that include SCC and also are not able to limit data transfer to the United States can cease business to avoid running afoul of EU data regulations.
It’s worth considering that the Court of Justice of the European Union who killed Privacy Shield did so because of concerns with United States government surveillance. This concern could in the future apply to invalidate SCC which would require some kind of replacement or businesses would be forced into ceasing data transfer or ceasing regional business (options 2 and 3).
It’s unlikely that the EU enforcement agencies will begin enforcing immediately however businesses waiting to make a decision do so at their own discretion. The Department of Commerce has provided some guidance to American companies who have recently renewed their Privacy Shield to continue to operate under Privacy Shield.
If you’d like to learn more about what the death of Privacy Shield means for your business you can watch our webinar on-demand now.