Linda V. Priebe, J.D., CIPP/E from our Privacy, Data and CyberSecurity team at Culhane Meadows PLLC provides a critical update on the landmark ruling by the European Union (EU) on July 16th, 2020, which invalidated the EU-U.S. Privacy Shield and has affected the EU SCC as well.
Stay tuned for news of further EU-U.S. Privacy Shield and other EU and U.S. data privacy/protection developments from Culhane Meadows. For guidance on specific issues related to your EU-U.S. transfers in light of the EU’s ruling to invalidate the EU-U.S. Privacy Shield, Culhane Meadows is ready to help ensure that you are legally compliant with all of your Privacy, Data and CyberSecurity needs. For more information, please contact Linda Priebe at firstname.lastname@example.org.
Many professionals involved in international data privacy compliance woke up on July 16th to important news. In the Schrems II case the European Court of Justice (ECJ) invalidated the EU-U.S. Privacy Shield making it no longer an adequate compliance mechanism for permissible transfers of EU personal data, including employee data, to (or access from) the U.S. The decision eliminates one of the most common legal mechanisms used by companies in the U.S. to receive and access EU personal data and requires prompt action by companies.
The EU-U.S. Privacy Shield is an EU data protection compliance mechanism negotiated between the EU Commission and the U.S. Department of Commerce (DoC) to facilitate personal data flows from the EU to the U.S. The EU-U.S. negotiations created a program administered by the U.S. DoC where participating U.S. companies could earn certification from the DoC allowing them to transfer EU personal data to (and access EU personal data from) the U.S. The EU-US Privacy Shield (and before that the U.S.-EU Safe Harbor) were needed is because under the EU General Data Protection Regulation (GDPR) (and pre-existing European law), requires an approved legal basis to transfer personal data regarding persons located in the EU and/or European Economic Area (EEA) to, or to access EU/EEA personal data from, the U.S. Previously the European Commission had determined that U.S. privacy laws do not adequately protect the privacy of persons in the EU/EEA especially from surveillance by U.S. national security authorities.
Use of EU Standard Contract Clauses is also affected by the ECJ Decision
Based on the legal posture of the Schrems II case, and the results of periodic reviews of the Department of Commerce Privacy Shield Certification Program by the European Commission, many observers in the U.S. did not expect the ECJ to address Privacy Shield in its decision. And if eliminating Privacy Shield isn’t bad enough, the ECJ’s decision also sharply limits the availability of the EU’s long-standing alternative to Privacy Shield certification, the EU Standard Contract Clauses (SCC). Without Privacy Shield in existence to provide legal adequacy under EU law for transfers of personal data to the U.S., the ECJ decision requires companies including SCC in their contracts to be assured that the data protection laws of the destination country (i.e. the U.S.) provide EU equivalent protection and redress to EU/EEA persons to whom the data being transferred to, or accessed from, the U.S. relates. The consequences of not doing so can be major. Under the GDPR, fines for failure to use EU recognized legal compliance mechanisms for transfers of EU personal data to (or access from) the U.S. can be as high as 4% of a company’s total global gross revenue.
CM Clients who are certified under the EU-U.S. Privacy Shield should:
- Contact their Culhane Meadows attorney for guidance specific to their EU-U.S. transfers and access of EU/EEA personal data including employee personal data;
- Review their EU/EEA data flows and access from the U.S., assess the impacts of the Schrems II decision, work with their CM attorney to develop short and long-term response plans, involve leadership in decision making, and document their compliance actions.
- Identify their customer, service provider, and other contracts that include EU data protection provisions which require or rely on EU-U.S. Privacy Shield certification and/or EU SCC for EU-U.S. data transfers and/or access.
- Also, with the help of their CM attorney, review and update their customer, service provider, and other contracts that include EU data protection provisions which require and/or rely on EU-U.S. Privacy Shield certification.
Download PDF of this article HERE.
The foregoing content is for informational purposes only and should not be relied upon as legal advice. Federal, state, and local laws can change rapidly and, therefore, this content may become obsolete or outdated. Please consult with an attorney of your choice to ensure you obtain the most current and accurate counsel about your particular situation.
About Culhane Meadows – Big Law for the New Economy®
The largest woman-owned national full-service business law firm in the U.S., Culhane Meadows fields over 70 partners in ten major markets across the country. Uniquely structured, the firm’s Disruptive Law® business model gives attorneys greater work-life flexibility while delivering outstanding, partner-level legal services to major corporations and emerging companies across industry sectors more efficiently and cost-effectively than conventional law firms. Clients enjoy exceptional and highly-efficient legal services provided exclusively by partner-level attorneys with significant experience and training from large law firms or in-house legal departments of respected corporations. U.S. News & World Report has named Culhane Meadows among the country’s “Best Law Firms” in its 2014 through 2020 rankings and many of the firm’s partners are regularly recognized in Chambers, Super Lawyers, Best Lawyers and Martindale-Hubbell Peer Reviews.