October 26, 2020

Volume X, Number 300

Advertisement

October 26, 2020

Subscribe to Latest Legal News and Analysis

European Court of Justice Annuls EU-US Privacy Shield Framework

The Court of Justice of the European Union (CJEU) declares invalid a decision of the European Commission which attested that the EU-U.S. Privacy Shield provided adequate protection to personal data transferred from the EU to the U.S., if the receiving party had self-certified its adherence to the Privacy Shield Principles. At the same time, the CJEU clarifies that the so-called standard contractual clauses (SCC) may still be used – with important caveats.

The Verdict’s Massive Impact

The ruling has an impact on (a) more than 5,000 companies in the United States that have self-certified under the Privacy Shield mechanism, and (b) an undefined number of companies outside the United States that relied on the recipients’ Privacy Shield self-certification to comply with the strict EU data protection laws.

Reasoning Behind the Annulment

As in the case of the Privacy Shield’s predecessor (the “U.S.-EU Safe Harbor Framework”), which was overturned by the CJEU in 2015, the CJEU criticizes the fact that neither U.S. law nor the Privacy Shield provides for effective remedies against the far-reaching rights of U.S. intelligence services. Therefore, the Privacy Shield does not meet the strict requirements of EU data protection law. The CJEU also found that the Privacy Shield ombudsman role was ineffective for providing EU data subjects an adequate level of protection or appropriate redress.

The Good News: CJEU Approved the SCC (Processors)

Fortunately, today’s ruling explicitly approves the general validity of the SCC (Standard Contractual Clauses) per se, but does leave them open to be challenged in the future. However, the CJEU stresses that the parties to the transfer are responsible for assessing on a case-by-case basis whether the SCC constitute a suitable mechanism to justify the transfer in question or not.

Depending on the laws and regulations of the country of destination, compliance with the SCC may require additional measures to be taken by the parties to secure the personal data subject to the GDPR. The CJEU emphasizes that the parties must immediately refrain from transferring data if its adequate protection cannot be ensured. If the parties, nevertheless, continue to base their processing on the SCC, then according to the CJEU, the competent EU supervisory authority must suspend or prohibit the transfer. In doing so, it should involve the European Data Protection Board, where appropriate, to ensure consistency of decisions across the EU.

What Now?

Companies that are subject to the GDPR should consider (i) their data flows to the U.S., (ii) the respective legal mechanism for such transfers to the U.S., and (iii) if the EU-U.S. Privacy Shield is the current transfer mechanism, put in place a legitimate transfer mechanism for such activities.

Even where data transfers are based on SCCs and are made to non-EU states other than the U.S., organizations should assess that the undertakings in the SCC are met throughout their term. Any changes required by the above may also need to be reflected in the company’s privacy policy, records of processing activities, etc.

©2020 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume X, Number 198
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Viola Bensinger, Greenberg Traurig Law Firm, Germany, Cybersecurity Litigation Attorney
Partner

Viola Bensinger chairs the Technology Practice as well as the Litigation Practice in Germany. She advises clients from the technology, media and healthcare industries.

Within the technology sector, Viola advises international internet, technology and healthcare companies in the areas of digital products, e-commerce, electronic payment, data protection, software licensing, (IT-) outsourcing as well as digital media.

49 -030700-171-150
Gretchen A. Ramos, Lawyer, Greenberg Traurig, Data, Privacy & Cybersecurity,The Cloud,Artificial Intelligence, Big Data
Shareholder

Gretchen A. Ramos is Co-Chair of the Data, Privacy & Cybersecurity Practice and focuses her practice on privacy, cybersecurity, and information management. A creative problem-solver with a long track record of success in commercial disputes, she never loses sight of the simple fact that she works in a service industry. Clients appreciate not only her legal skills, but also her direct, no-nonsense approach to client service, including her bullet-pointed emails, snapshot executive summaries, and creativity in finding ways to streamline communications for in-house counsel with dozens of other projects—and little time—on their hands.

Gretchen’s clients come from diverse industries, including technology (SaaS), health care and life sciences, consumer products, manufacturing, academic institutions, and non-profits. She provides clients with practical business advice on compliance with state and federal U.S. laws, GDPR, APEC, and other global privacy laws in relation to their external and internal privacy and security procedures, product and app development, and advertising practices. Gretchen also regularly drafts and negotiates contracts concerning data-related vendors, assists clients in assessing privacy risks in corporate transactions, and provides guidance on and conducts privacy and security assessments. She has managed dozens of data breaches, and helps clients prepare for and immediately respond to security incidents and breaches.

Gretchen works closely with her clients to manage data and leverage its value in ways to meet compliance obligations as well as deliver value to the business and instill consumer trust. Her experience working with various industries allows her to quickly assess options and risks, and guide clients, including numerous genomic data companies, in resolving complicated privacy issues.

Gretchen has litigated, mediated, and arbitrated commercial disputes, including class actions, at state and federal courts nationwide, and has tried numerous cases to verdict. Her wide-ranging litigation background allows her to advise clients on the litigation risks they face in determining how to handle data privacy issues. In addition to providing compliance advice, Gretchen defends companies facing FTC and other regulatory investigations, and individual and class action claims involving privacy, information security, and consumer protection.

Concentrations

  • EU GDPR compliance

  • Cross-border transfer mechanisms (Standard Contractual Clauses, Privacy Shield, Binding Corporate Rules), and data processing agreements

  • FTC CIDs, State Attorney General investigations

  • Behavioral advertising, automated processing and profiling

  • Security breach response and notification

  • DPIAs and addressing complicated privacy issues relating to product development

  • COPPA, HIPAA, TCPA PCI-DSS, CAN-SPAM

  • Privacy and security gap assessments

415.655.1319
Kate Black Shareholder GT Law Miami SF Data, Privacy & Cybersecurity Life Sciences & Medical Technology IP Technology Licensing & Transactions
Shareholder

Kate Black’s practice focuses on data privacy, information protection, and commercial transactions in consumer technology, digital health, life sciences, and genetics. Kate provides companies with comprehensive, practical strategies for meeting their regulatory obligations while building and maintaining public trust and advancing innovative and emerging models of health care research and delivery. She’s managed every aspect of global privacy programs, including supervising privacy assessments, providing product strategy and counseling, managing complex vendor and partner agreements, and...

305-579-0500
Marijn Bodelier, Greenberg Traurig Law Firm, Amsterdam, Real Estate and Environmental Law Attorney
Of Counsel

Marijn Bodelier specializes in public law, real estate and environmental law. Marijn has particular experience in litigation in regulatory and real estate related matters. He is regularly involved in international transactions and innovative projects where public law aspects are a key-element.

Concentrations

  • Public law
  • Property development
  • Permits and enforcement
  • Government contracts/procurement
  • Data...
+31 (0) 20-301-7309
Luigi Fontanesi Intellectual Property Lawyer Greenberg Traurig Law Firm Milan
Partner

Luigi Fontanesi represents clients on judicial and non-judicial matters in the fields of industrial law, intellectual property, trademarks, advertising, unfair competition, information technology, privacy, and media, as well as commercial issues related to company reorganization and insolvency law.

Luigi has deep experience in drafting, negotiating, and setting up domestic and international franchising; master franchising, merchandising, distribution, research; and licensing contracts concerning trademarks, patents, software, register design, industrial design, and know-how.

...

(39) 02.771971
Advertisement
Advertisement