By: Of Counsel Adam Heller
On July 16, 2020, the EU’s Court of Justice ruled the EU-US intergovernmental program for data transfer, called Privacy Shield, was no longer valid. This program had over 5,300 US companies registered and has been a mechanism to allow cross-border data flows. Without a mechanism in place, cross-border data flows are illegal under EU law.
Why did this happen?
The Court determined that the US National Security Agency’s broad surveillance rights under US law (made public by Edward Snowden) abrogated the privacy rights of EU citizens. There were also concerns about the ‘redress’ ability of EU citizens, and that the courts available to them under Privacy Shield would not provide similar protection as under EU courts.
Is there a Grace Period?
No, at least not yet. There is an expectation the EU government will issue guidance offering a phase-in period or non-enforcement period or something similar. When Safe Harbor was invalidated in 2015, it took almost 2 weeks for the guidance to be issued.
What’s the downside of SCCs?
While the substance of the obligations regarding data privacy and security are similar between Privacy Shield and the SCCs, there are differences in liability. The SCCs can be enforced by European government data protection agencies, as well as those individual end users whose service provider (usually the EU business customer) has gone bankrupt or ceased to exist. There is also a mandated mediation process. In addition, the SCCs are ‘flow down’ contracts, meaning that you will need to sign SCCs with your vendors that have access to personal data (e.g., data centers).
Any other options?
There is an another mechanism under GDPR to allow cross-border data flows, called Article 49 Derogations. In short, they are carve-outs from the law’s otherwise blanket prohibition on data transfer without authorization. The derogations are listed in the GDPR statute and include explicit consent, if the transfer is not repetitive, or concerns only a limited number of data subjects. These derogations may be an option for a company with limited exposure to EU customers or users.
The logic used to invalidate Privacy Shield, namely that there is not sufficient protection from the US government, seems to equally apply to SCCs, so it is likely the courts will be addressing the validity of SCCs in the near future. But until then, the best option for business with customers or users in the EU is to sign Standard Contractual Clauses.