The Court of Justice of the European Union (“CJEU”) issued a decision, Schrems II, in which the EU-U.S. Privacy Shield was invalidated as a legal mechanism to transfer personal data from the European Union (“EU”) to the United States. Privacy Shield was invalidated as it was deemed to not provide sufficient protection to EU individuals due to the surveillance practices of the US government and related lack of privacy protections.
What this means:
Pursuant to the General Data Protection Regulation (“GDPR”), the transfer or processing (which includes saving, viewing, using, etc., such data) of personal data (generally, any data connected to a person or which could be used to identify a person) of individuals located in the EU from the EU to the United States (and many other nations) is not permitted unless at least one of several enumerated procedures are in the place. One such popular procedure for U.S. businesses was to certify under EU-U.S. Privacy Shield. Though the U.S. Department of Commerce, which operates EU-U.S. Privacy Shield, stated that it “will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List,” reliance upon this mechanism appears to no longer be valid for the transfer of personal data from the EU to the U.S.
How the CJEU decision may impact your business:
If you currently rely upon Privacy Shield for the transfer or processing of personal data from the EU, you will need to institute an alternative legal mechanism for such transfer. One popular method for such transfer of personal data is known as Standard Contractual Clauses (“SCCs”). Luckily, the CJEU decision did not invalidate SCCs. Unfortunately, various EU data protection supervisory authorities (“DPAs”) have called into question the validity of the use of SCCs EU to U.S. personal data transfers and may require a case-by-case analysis of the protections actually in place.
What you should do:
If you previously relied upon Privacy Shield to validate and legalize transfers or processing of personal data from the EU, you should immediately enter into SCCs for all such transfers and contractual arrangements. You should also analyze the actual protections in place to protect and secure such data transfers and processing and take all reasonable steps to make sure that the rights of individuals from the EU are protected in accordance with the requirements of principals of GDPR.
For more information, contact Michael J. Feldman, Esq. at or 908-964-2486.