On July 16, 2020, the EU Court of Justice (CJEU) ruled that the protections provided by the EU-US Privacy Shield were invalid based on the finding that US law cannot adequately ensure protection of personal data of those in the European Economic Area (EEA).  Prior to this decision, the EU-US Privacy shield was likely the most commonly used mechanism for US companies to lawfully receive, process, store and transfer the personal information of the people in the EEA.  The ruling was largely based on the finding that the US government does not limit surveillance of foreigners to that which is strictly necessary, and that both federal and state laws in the United States lack appropriate remedies for those in the EEA. 

Luckily, there are still options recognized by EU’s General Data Protection Regulation (GDPR) for companies that process personal data of those from the EEA in the US.  These options include the use of standard contractual clauses (SCCs) and binding corporate rules (BCRs).  SSCs are clauses in agreements related to data transfer or processing aimed at protecting personal data in accordance with GDPR.  BCRs are rules adopted by companies related to similar data transfer and processing guidelines under GDPR.

It is important to note that the EU Commission is currently in the process of updating the approved SCCs.  A process that was occurring previously but was put on hold pending results in the CJEU decision.  Now that the task has been taken back up, it is important that companies intending on processing personal data in the US keep an eye on the issuance of any such new SSCs and potentially incorporate into their agreements the ability to substitute or amend such agreement, when the new SSCs are issued.

The US has been working on moving toward compliance with the EU-US Privacy Shield framework, with officials from both the US and EU stating that, “The U.S. Department of Commerce and the European Commission have initiated discussions to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework to comply with the July 16 judgment of the Court of Justice of the European Union in the Schrems II case.”  In the Interim, “The Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List.”

However, despite the Department of Commerce in the US’s commitment to the program, the European Data Protection Board (EDPB) has noted that there is no grace period for those operating solely under the EU-US Privacy Shield regime.  Therefore, it is imperative that companies transferring and/or processing personal data of EEA residents immediately move to implement other safeguards to ensure that they are in compliance with the rules under GDPR.

Given the statements from the relevant US agencies, companies currently certified under the EU-US Privacy Shield framework should consider continued compliance in order to avoid any issues with the statements made to those agencies.  As the Chairman of the FTC stated, “[W]e will continue to hold companies accountable for their privacy commitments, including promises made under the Privacy Shield.”

Even if a company is not certified under the EU-US Privacy Shield, if that company is transferring or processing the personal data of residents of the EEA, the company should incorporate the appropriate protections, such as SSCs and/or BCRs, in order to be in compliance with GDPR.  There are some exceptions that companies can rely on, called “derogations for specific situations.”  These are neatly detailed in the European Data Protection Board’s, “Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679.”  However, it is imperative to ensure that an appropriate derogation applies, or otherwise ensure that the necessary SCCs or BCRs are in place in order to avoid liability under GDPR.

 

Conclusion

If your company receives, transfers or processes personal data from the EEA, it is imperative that you ensure your compliance with GDPR, particularly if you were previously relying on the EU-US Privacy Shield to ensure compliance.  It has been stated that there is no safe harbor or grace period to get into compliance, post the July 16, 2020 ruling that invalidated the EU-US Privacy Shield protections.  Therefore, either ensuring that one of the derogations applies to your company’s situation, or enacting appropriate SCCs or BCRs to provide compliance with GDPR is a necessity that should be addressed promptly.