By: Of Counsel Adam Heller

On July 16, 2020, the EU’s Court of Justice ruled the EU-US intergovernmental program for data transfer, called Privacy Shield, was no longer valid. This program had over 5,300 US companies registered and has been a mechanism to allow cross-border data flows.  Without a mechanism in place, cross-border data flows are illegal under EU law.

Why did this happen? 

The Court determined that the US National Security Agency’s broad surveillance rights under US law (made public by Edward Snowden) abrogated the privacy rights of EU citizens.  There were also concerns about the ‘redress’ ability of EU citizens, and that the courts available to them under Privacy Shield would not provide similar protection as under EU courts. 

Is there a Grace Period?

No, at least not yet.  There is an expectation the EU government will issue guidance offering a phase-in period or non-enforcement period or something similar.  When Safe Harbor was invalidated in 2015, it took almost 2 weeks for the guidance to be issued.

What’s the downside of SCCs?

While the substance of the obligations regarding data privacy and security are similar between Privacy Shield and the SCCs, there are differences in liability.  The SCCs can be enforced by European government data protection agencies, as well as those individual end users whose service provider (usually the EU business customer) has gone bankrupt or ceased to exist.  There is also a mandated mediation process.  In addition, the SCCs are ‘flow down’ contracts, meaning that you will need to sign SCCs with your vendors that have access to personal data (e.g., data centers). 

Any other options?

There is an another mechanism under GDPR to allow cross-border data flows, called Article 49 Derogations.  In short, they are carve-outs from the law’s otherwise blanket prohibition on data transfer without authorization.  The derogations are listed in the GDPR statute and include explicit consent, if the transfer is not repetitive, or concerns only a limited number of data subjects.  These derogations may be an option for a company with limited exposure to EU customers or users.

Parting thoughts:

The logic used to invalidate Privacy Shield, namely that there is not sufficient protection from the US government, seems to equally apply to SCCs, so it is likely the courts will be addressing the validity of SCCs in the near future.  But until then, the best option for business with customers or users in the EU is to sign Standard Contractual Clauses.

Similar Posts

Protection of Trade Secrets Starts Before the Lawsuit
| |

Protection of Trade Secrets Starts Before the Lawsuit

ByBlayne Kercher

Employees leave businesses for competitors. It happens all the time. Employees also take with them important information from their previous employer. It happens more often than you would think. A recent case illustrates how one employer’s failure to protect its own information in any meaningful way affected, and may have even lost, its rights to…

The Indemnification Simplification
| |

The Indemnification Simplification

ByBlayne Kercher

Indemnity provisions can be complex. For every two-sentence indemnity, there’s an indemnity section filling up a page and a half (and hilariously, the long indemnity may only be four sentences). Indemnities are one of the most quintessential “legal” provisions you’ll come across. So, in what could be a multi-part series, let’s try to simplify indemnities…

woman-sorting-nda-documents
|

3 Essential Questions to Answer Before Signing an NDA

ByQuentin Cooper

Non-disclosure Agreements (NDAs) are ubiquitous in Silicon Valley. They appear (or in many cases should appear) at the beginning of most commercial transactions. Yet, these important contracts are often signed without thoughtful review of terms or the context of the relationship. Here are three questions that you should ask prior to signing an NDA.