In a landmark opinion issued on July 16, 2020, the European Court of Justice overturned the EU-U.S. Privacy Shield, less than four years after the European Commission decision that the privacy principles of the EU-U.S. Privacy Shield provide an adequate level of protection of EU citizens’ personal data. Now, if Safe Harbor aftermath is a guide, national authorities will be conducting their own investigations into individual complaints. This may significantly disrupt existing company global data flows, or at a minimum, add layers of complexity.
In response to the decision (and some in preparation for it), clients that are currently depending on Privacy Shield to transfer data from the EU to the U.S. (or as the backbone of global transfers) have been taking or are considering one or more of the following solutions:
- Review Data Flows/Compliance Mechanisms and Reroute/Prioritize Remediation. Companies have started or plan to immediately start to inventory:
- What personal data are being stored and transferred;
- What transborder dataflow compliance mechanism is in place to enable the transfer (e.g., Privacy Shield, Standard Contractual Clauses, Binding Corporate Rules or other mechanism); and
- What priority business or operationally critical data transfer activities must remain intact.
- Put Standard Contractual Clauses in Place (and also BCRs Longer Term). Based on the inventory from above, for Privacy Shield pathways that are no longer compliant, companies are putting in place Standard Contractual Clauses/Intra-Group Agreements to cover any data transfer or access gaps they feel they may have. Also, while some companies are looking for outsourcing data storage or certain IT operations to vendors with data transfer mechanisms in place, as a longer-term solution, others are considering putting in place Binding Corporate Rules.
- Perform Contract Amendments. Companies are analyzing existing contracts where there could be a breach based on the European Court of Justice opinion. In such analysis, they are prioritizing key business contracts, data transfer pathways based on Privacy Shield that need remediation and/or contracts that can be quickly fixed by data architecture solutions, like rerouting data to compliance pathways.
- Consider EU Country-by-Country. Companies are identifying data flows and where servers in the EU are located and the specific local requirements, as national authorities will now have jurisdiction for data transfers.
- Review Privacy Shield Statements. Companies are reviewing published statements, such as in privacy policies, on compliance with Privacy Shield and are deciding whether to withdraw from the program.
To learn more about the impact of the decision on your company and about the approaches being taken by others, please contact Jim Koenig, Tyler Newby, Jim Gregoire, Helen Christakos, Kenia Rincon, Brian Hoffman, Hanley Chew or any member of our global privacy and cybersecurity practice.