The European Court of Justice Strikes Down the EU-US Privacy Shield
The EU-US Privacy Shield was a framework designed to let US companies more easily receive personal data from the EU and maintain compliance with EU privacy laws. Last week, the European Court of Justice (“ECJ”) invalidated the Privacy Shield because United States law, and, in particular, the ability of US public authorities to access personal data, does not ensure the level of protection required by EU privacy law. Although the EJC did not grant a grace period in its decision, it is widely believed that a grace period will be allowed given the heavy reliance on the Privacy Shield and the immense disruption immediate enforcement would cause.
Who is affected?
Any company that relied on compliance with the Privacy Shield as a basis for transferring data from the EU to the US is affected. This includes companies who directly transfer or receive EU personal data as well as companies who use service providers (such as a payroll company, HR services, etc.) to transfer such data. If you fall into either category and have relied on the Privacy Shield as the legal basis for transferring data, you will need to find a new data transfer mechanism.
Unfortunately, and perhaps even more concerning than the invalidation of the Privacy Shield, the ECJ decision raises questions regarding the other bases many companies use to transfer data between the EU and the US: standard contractual clauses (“SCCs”) and binding corporate rules (“BCRs”). SCCs, in particular, have been a common EU data transfer mechanism that did not rely upon the Privacy Shield. While the recent ECJ decision technically upheld SCCs as a mechanism for data transfer, the decision calls into question reliance on either the SCCs or the BCRs going forward in the US. Going forward, companies that rely on the SCCs and BCRs need to conduct an assessment to determine whether they can put in place supplementary measures that create a level of protection that satisfies EU privacy laws. In the alternative, it may be possible for some companies to rely on the General Data Protection Regulation as the basis to transfer personal data from the EU to the US.
Notably, the ECJ granted no grace period for companies that have relied on the Privacy Shield, SCCs or BCRs to transfer data to the US. However, it is widely believed that a grace period will be allowed given the heavy reliance on the Privacy Shield and the immense disruption immediate enforcement would cause.
If your business involves the transfer of personal data from the EU to the US, you should immediately evaluate the legal basis of that transfer. If you have relied on the Privacy Shield, you need to find another basis for the transfer of that data as quickly as possible. If you have relied on the SCCs or the BCRs, you will need to perform an assessment of the adequacy of those measures and, in all likelihood, enact supplementary measures to comply with EU law.
The Privacy team at Cairncross & Hempelmann will be monitoring developments related to this decision and would be happy to assist you if you have questions or concerns arising from this recent decision.
Information contained in this alert is for general information purposes only. It should not be considered as legal advice or the sole source of information when analyzing and resolving a legal issue. If you have specific questions regarding your particular circumstances, please do not hesitate to contact your CH& counsel.