On July 16, 2020, the European Court of Justice (“ECJ”) handed down the Schrems II decision, striking down the current incarnation of the EU-U.S. Privacy Shield Framework (“Privacy Shield”) as an adequate mechanism for transferring personal data from the European Union to the United States, and outlining additional obligations for such data transfers. But don’t panic — a nearly identical situation occurred in 2015, and VeraSafe is well-experienced in helping our clients navigate the changes that must be made now and once a replacement framework is agreed on.
- Organizations participating in the Privacy Shield Framework are required by U.S. law to continue to comply with all of the Framework’s rules.
- The Swiss-U.S. Privacy Shield is still valid, and data flows from Switzerland to the United States may proceed as usual under the Privacy Shield Framework.
- Organizations should now ensure that transfers of personal data from the EU to the U.S. are also covered by the Standard Contractual Clauses, to help ensure continuing compliance with Chapter V of the General Data Protection Regulation (“GDPR”). Contact VeraSafe for assistance with this, as additional requirements for the use of Standard Contractual Clauses may now apply under Schrems II.
- It’s likely that there will be a successor to the Privacy Shield within a short period of time (in the previous instance, the Privacy Shield was agreed on less than four months after Safe Harbor was invalidated).
- The U.S. Department of Commerce believes that an EU-U.S. data transfer framework is tremendously important, and it is a priority of the Department to find a solution that promotes the interests of U.S. businesses.
- The successor framework will likely have a lot in common with the Privacy Shield, so work done on Privacy Shield compliance will still be useful and provide a great jump-off point for complying with the new framework.
- VeraSafe’s Privacy Program goes above and beyond the requirements of the Privacy Shield and more closely resembles the GDPR than the Privacy Shield itself. So while some small modifications to your organization’s data protection program may be needed as the successor framework takes form, if you are a member of the VeraSafe Privacy Program, you’re in great shape to be able to quickly certify under the Privacy Shield successor.
Today’s decision reflects the tension between the EU’s highest court and the European Commission, the executive body of the EU, over international transfers of personal data. The ECJ’s ruling in Schrems II relies, in essence, on the same reasoning that in 2015 led the Court to strike down Privacy Shield’s predecessor framework, the U.S.-EU Safe Harbor Framework.
Regulators Race to React
Given the immense importance to international trade of data transfers between the EU and the U.S., it is likely that the U.S. Department of Commerce and the European Commission will implement a successor framework in 2020 or early 2021. For comparison, the Privacy Shield was finalized less than four months after the Safe Harbor Framework was invalidated.
The U.S. Department of Commerce announced today that it would nonetheless continue to administer the Privacy Shield program, including processing certification and re-certification submissions. Organizations currently on the Privacy Shield list remain bound to uphold their Privacy Shield obligations, and noncompliance with the Privacy Shield remains a violation of the Federal Trade Commission Act for participating organizations.
No Major Change for UK and Swiss Data Flows
While this decision means that your organization can no longer rely on its Privacy Shield certification to receive personal data from the EU, the Framework is still fully binding and functional from the standpoint of Swiss law. This ruling has no effect on the Swiss-U.S. Privacy Shield Framework: data transfers between Switzerland and the U.S. remain unaffected and may proceed in reliance on the Privacy Shield.
The UK Data Protection Authority (“ICO”) has recommended that organizations continue using the Privacy Shield for transfers from the UK to the U.S. for the time being. Further, existing guidance on Brexit suggests that the Privacy Shield will continue to serve as a viable tool for sending personal data from the UK to the U.S. after the end of the transition period (which ends on the last day of 2020). We are monitoring guidance issued by the ICO on Privacy Shield and we will keep you updated as soon as it is available.
Until the replacement framework is agreed on, your organization will need to implement an alternative method to lawfully transfer data to the U.S. in compliance with the GDPR. Please rest assured that VeraSafe has guided its clients through this situation before, and is well equipped to help you navigate the current uncertainty surrounding cross-border data transfers.
Do’s and Don’ts
- Don’t panic.
- Don’t remove your organization from the Privacy Shield list.
- Do continue to comply with your organization’s obligations under the Privacy Shield, which continue to be binding and enforceable.
- Do convene a meeting of your internal privacy team to initiate your organization’s response.
- Do contact VeraSafe for assistance implementing alternative data transfer methods and strategic planning to ensure business continuity.
- Do review your data transfers (within your organization, from clients, and to your service providers), to identify where changes to the contracts and additional safeguards — such as encryption or tokenization — may be needed. VeraSafe can assist with this.
- Do update records of processing and data processing agreements/addendums where necessary. VeraSafe can assist with this.