Today, July 16, 2020, the Court of Justice1 invalidated Privacy Shield as a means to self-certify that a business is securely and appropriately protecting personal data when transferring such data from the EU to the United States. In part, the Court found that the Privacy Shield did not adequately ensure individuals’ audit rights or appropriate recourse, and therefore, the Court invalidated Privacy Shield, effective immediately. There is no grace period.
This same court invalidated the Safe Harbor in 2015, and Privacy Shield then replaced that Safe Harbor.
This ruling impacts more than 5,000 companies that incurred the time and expense to self-certify under Privacy Shield.
Standard Contractual Clauses
The Court notably did not reject the Standard Contractual Clauses (“SCCs”) as a means to allow for international transfers of personal data from the EU to other jurisdictions.
However, if you did, are or plan to rely on the SCCs, today’s ruling has amplified the obligations associated with the SCCs: as an importer of data, a business has the obligation to notify the exporter of the data if the receiving business cannot meet any mandates of the SCCs and/or the General Data Protection Regulation (“GDPR”) in protecting the data. Further, on receipt of such a notice, the exporter must suspend the data transfer unless and until the data importer has remediated the shortcoming so identified.
Further, and while already required under the SCCs, the Court reiterated the obligation of the data exporter to undertake its own due diligence and audit the practices of its intended data recipient outside the EU.
If a data importer here in the U.S. then intends to use subprocessors for handling the imported data, such importers should not only be auditing the subprocessors, but documenting their findings. If the subprocessors cannot appropriately protect the imported data, the importing company should no longer allow the subprocessor to retain the subject data.
According to the Court, in relying on the SCCs, data exporters must also give consideration to the adequacy of remedies in the recipient country if the protections required under the SCCs and the GDPR are violated; and if the recourse is not “adequate”, alternative remedies must be available or data transfer must be suspended.
Note that SCCs provide for individual data subjects to be third party beneficiaries under these clauses, and further provide for a private cause of action.
Besides the SCCs, companies still have other means to transfer data from the EU to the U.S.
Binding Corporate Rules
BCRs, or Binding Corporate Rules, have NOT been invalidated by this ruling. Of course, BCRs, however, only apply to the transfer of data between and among a company’s own branches and subsidiaries, and not to third parties. Further, BCRs are still subject to review and approval before they can be relied upon by a business.
Consent of the Data Subject
Note that consent is a viable means for transferring data from the EU to the U.S. – so if an individual consents (documented) to the transfer, this is still an acceptable basis for cross border data transfers. However, if a company is relying upon consent (i) the consent must be informed, (ii) it must be documented, and (iii) the data collected can only be used for the purposes for which consent was granted. If a company intends to repurpose data collected under consent, new, informed consent will be required.
Dust Off Your Privacy Policies
Companies that currently state on their privacy policies that they are certified under the Privacy Shield will need to revise these privacy policies. And if they are continuing to transmit or receive personal data of EU citizens, these companies will need to consider whether they will now be relying on BCRs, SCCs or consent. In any event, the statements regarding certification under Privacy Shield are now irrelevant.
What Should U.S. Companies Expect and Consider Going Forward
New Legislation: Whether this ruling will finally be the impetus needed for the U.S. Congress to act to adopt a national privacy and data protection laws is yet to be seen. In the absence of a national law, however, it is reasonable to expect that other jurisdictions may look to adopt legislation akin to California (CCPA), which like the SCCs offers a private cause of action for failure to “reasonably” protect personal data, resulting in a data breach.
Increased Audits: Businesses in the U.S. that are currently receiving, have received or expect to receive, personal data of EU citizens will need to look at their processes and policies under GDPR in anticipation of increased audits from the data exporters that were, are or may in the future transmit EU residents’ personal data to those businesses.
Documentation will be key in businesses’ decision whether or not to receive or transmit data, and further to use subprocessors here in the U.S.
Increased Litigation: Businesses should assume, similar to the flurry of cases after May 25, 2018, when GDPR came into effect, litigation is likely to ensue for companies that are currently transferring data from the EU to the U.S. If the receiving companies do not have appropriate policies and procedures in place, consistent with GDPR to protect such personal data, these companies may have significant exposure. And for those companies that do have measures in place, note that each EU Data Protection Authority may interpret and accept or reject those measures as “adequate”.
Do Not Export: Companies that have the option to do so, may revisit whether they need to transfer data outside the EU. And if the answer is no, they will be looking to store data and keep data regarding EU residents only in the EU.
Multinational Mergers and Acquisitions: This ruling and its impact will also impact due diligence in mergers between multinational companies. Whether you are the seller or buyer of a company that processes data of EU residents, thorough due diligence and documentation as to appropriate measures to protect data subjects’ personal information will be important to limit potential liability post-closing.
1 The CJU is the highest court in the EU; and as such, this opinion is not subject to further review or appeal.