New Restrictions for GDPR data in the US
Disclaimer: We specialize in operationalizing data security and privacy requirements and work closely with security and privacy attorneys, but we are not attorneys.
The European Court of Justice ruled yesterday that Privacy Shield is not adequate to protect EU subject (resident) sensitive data that is transferred to the US. While commercial privacy law like the California Consumer Privacy Act or the Illinois Biometric Privacy Information Act focus on protecting one’s personal information held or used by businesses. The focus of this judgement was protecting EU subjects from US government access to their personal information. The court upheld the use of Standard Contractual Clauses but require the importer of the data, e.g., Facebook (the subject of the decision) in the US, to assess what additional measures need to be taken to ensure that the US government cannot access the sensitive data. Exclusions to those protections may exist if there are acceptable reasons including explicit consent by individuals, necessity for the performance of a contract, etc.
This decision is significant for the thousands of businesses in the US that process EU personal information and must comply with GDPR.
Options for US Businesses that need to comply with GDPR
After choosing an acceptable legal agreement with the controller (Standard Contractual Clauses or Binding Corporate Rules), it appears that businesses have three options:
- Leverage a “derogation”, e.g., the EU resident knowingly opts-in to sharing their sensitive information with an understanding that the US government may have access
- Implement and actively manage controls that prevent US government access, e.g. encryption
- Relocate the sensitive information to a country that has adequate protections for EU subjects.
The risk is high for businesses that store and process EU subject data. Those residents have a personal right for legal action and can be represented in class action lawsuits. Additionally, the business be fined up to 4% of revenue or $20 MM Euros for violations.
We specialize in Data Protection and Privacy operationalization. But we are not attorneys. We would be happy to provide referrals to legal experts in privacy law.