December 3, 2020

Volume X, Number 338

Advertisement

December 03, 2020

Subscribe to Latest Legal News and Analysis

December 02, 2020

Subscribe to Latest Legal News and Analysis

December 01, 2020

Subscribe to Latest Legal News and Analysis

European Court Invalidates Data Privacy Shield Relied On By U.S. Companies

Highlights

  • The EU’s Court of Justice has invalidated the Privacy Shield data sharing system between the EU and U.S.

  • The court cited overreaching surveillance by U.S. public authorities

  • Standard Contractual Clauses for the transfer of personal data remain valid, however, they remain the subject of ongoing litigation that could result in their invalidation

On July 16, the European Court of Justice issued its decision in the closely watched Schrems II case and the court has surprisingly invalidated the EU-U.S. Privacy Shield Framework that has served as a primary mechanism for businesses’ transfer of personal data between the European Union and the United States. 

The court has left the Standard Contractual Clauses (SCC) in place as a transfer mechanism, for now, but an Irish court proceeding against Facebook places the clauses at the same risk as Privacy Shield. Businesses and privacy professionals that have relied on the Privacy Shield to provide for the legal transfer of EU personal data must now act quickly to develop a new transfer strategy and ensure data flows remain compliant under the law.

Since July 2016, the Privacy Shield has provided companies on both sides of the Atlantic with a mechanism to comply with European data protection requirements under the General Data Protection Regulation (GDPR) when transferring personal data from the European Economic Area to the United States. Enacted after the Schrems I case invalidated the U.S.-EU Safe Harbor on October 6, 2015, the Privacy Shield had also become an important avenue for companies to avoid the laborious process of trying to ensure each data transfer separately complied with governing laws. 

U.S. organizations have been able to self-certify to the U.S. Department of Commerce under the Privacy Shield by publicly committing to comply with the framework’s requirements. As of July 2020, 5,378 companies were listed as having self-certified their voluntary compliance with the Privacy Shield. Each of these businesses must now immediately identify a new legal means to transfer this data.

Court’s Decision and Standard Clauses

The court’s decision is based upon its finding that European data subjects were being afforded a lower level of protection in the U.S. than in the EU, and that the Privacy Shield protections were not sufficient to guarantee EU data subjects’ personal data under the GDPR. An increase in U.S. digital surveillance over the years and lack of U.S. data protections as compared to the EU has raised questions as to whether European individuals’ privacy rights can be adequately protected when their personal data is transferred to the U.S. 

The Court has upheld for now the continued use of SCCs for the transfer of data from member nations to third party nations, but admonished that any such transfers must “ensure compliance with the level of protection required by EU law,” a responsibility that rests on the data exporter and the recipient prior to commencing such a transfer.  The SCC are sets of contractual terms and conditions between the sender and recipient of personal data, which are supported by the European Commission and intended to comply with GDPR’s requirements.

The court further clarified that supervisory authorities are required to, and therefore have the ability to, suspend or prohibit a transfer of personal data to a third country where they take the view that the standard data protection clauses are not, or cannot be, complied with or ensured by other means. 

The highlighting of this ability presents ongoing compliance challenges for companies considering data transfers. This is especially true in light of the previously issued opinion by the Irish court that referred this case to the European Court of Justice, wherein the court suggested “the provisions of law in the [United States] may be the basis for suspending or prohibiting data transfers pursuant to an SCC. . . .” 

What To Do Now

Now that the case has been referred back to the same Irish data protection authority and the referring Irish court by the European Court of Justice, careful monitoring for further developments regarding the future validity of data transfers pursuant to SCCs, and preparation in the event such transfers are invalidated, will be paramount. 

In the wake of this important decision, there are several steps companies should consider taking to help ensure their future transfers of protected personal data are legally compliant: 

  • Work expeditiously to identify alternate means for data transfers between the EU and the U.S.

  • Identify existing EU-U.S. data flows to determine whether Standard Contractual Clauses are an appropriate alternate legal transfer mechanism for EU personal data subject to GDPR

  • Undertake a careful examination of any existing Standard Contractual Clauses-based transfers to ensure compliance with the GDPR

  • Analyze alternative means of transferring data where possible, like utilizing European data hubs

  • Monitor additional developments regarding the validity of Standard Contractual Clauses to ensure legally compliant data transfers

© 2020 BARNES & THORNBURG LLPNational Law Review, Volume X, Number 199
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Brian J. McGinnis, Barnes Thornburg Law Firm, Indianapolis, Intellectual Property Law Attorney
Partner

Brian J. McGinnis is an attorney with Barnes & Thornburg LLP where he is a member of the firm's Intellectual Property Department and the Internet and Technology and the Data Security and Privacy practice groups. He is resident in the firm’s Indianapolis office.

Brian's practice is focused at the intersection of the law and technology. He has developed a national practice advising clients ranging from multinational corporations to startups on the broad range of legal matters pertaining to technology, intellectual property protection and...

317-231-6437
Jason Bernstein Data Security & Privacy Attorney
Partner

A co-chair of the firm’s Data Security and Privacy practice, Jason Bernstein is a business adviser who helps clients develop, manage, protect and leverage their IP assets and valuable data. By offering real depth in a multitude of disciplines and industries, Jason is appreciated for his proven business acumen and creative problem-solving ability.

Inventions, innovations and information, particularly information security and privacy matters, are at the core of Jason’s practice. With more than three decades of experience, Jason advises on strategic planning for and the protection of...

404-264-4040
Todd Vare IP lawyer Barnes Thornburg
Partner

Todd G. Vare is a partner resident in the Indianapolis office of Barnes & Thornburg LLP. Mr. Vare represents clients in the protection and enforcement of intellectual property rights in trial and appellate courts around the country, and was listed in the 2012 edition of Best Lawyers in America.

Mr. Vare has litigated patent disputes covering a wide variety of technologies, including herbicides/pesticides, dielectric fluids, genetics, pharmaceuticals, medical devices, telecommunications, microprocessor and integrated circuit designs, software programs...

317-231-7735
Mario Arango Intellectual Property Attorney Barnes & Thornburg Indianapolis, IN
Staff Attorney

Mario Arango is passionate about helping clients understand the law and how to best protect their intellectual property endeavors – whatever they may be. To that end, he represents and advises clients in the entertainment and technology industries on issues including, but not limited to, IP, cybersecurity, privacy, and right of publicity.

Taking a client-centric approach, Mario has experience helping a variety of clients, including world-class musicians, composers, authors, directors, and documentarians, as well as large public entities, in securing and protecting trademarks,...

317-229-3149
Adam Gajadharsingh Insurance Attorney Barnes Thornburg
Associate

Adam Gajadharsingh focuses on commercial litigation, data security, and insurance coverage disputes, along with a variety of other subject matter areas. As a former business owner, he also brings first-hand knowledge of running a company when helping clients with their corporate legal needs.

Prior to joining Barnes & Thornburg, Adam practiced at a firm based in Washington, D.C., and with two other firms based in Atlanta. Adam has handled general corporate, class action, insurance defense, breach of contract, unfair competition, Lanham Act and landlord/tenant disputes. He has...

404-264-4007
Advertisement
Advertisement