US organizations that transfer personal data into and out of the EU for commercial reasons have been left in limbo after last month’s ECJ (European Court of Justice) ruling that invalidated the EU–US Privacy Shield.
The framework has been heavily criticised by the Austrian Max Schrems – who was responsible for the demise of its predecessor, Safe Habor – because it failed to protect people’s rights to privacy and data protection.
Schrems was particularly critical of the US government’s monitoring of data transfers, stating: “It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a role in the EU market.”
The ECJ and the US Commerce Department have pledged to create a new standard to replace the Privacy Shield, but there are many questions regarding what organizations supposed to do in the meantime.
Standard contractual clauses
The invalidation of the Privacy Shield came with no grace period, and has left organizations very little protection for transatlantic data sharing beyond SCCs (standard contractual clauses).
These are legal contracts that outline the terms and conditions for data transfers, and although they are widely used to transfer personal data between the EU and the rest of the world, they are not without fault.
Indeed, Max Schrems’ complaint also challenged the validity of SCCs, and although the ECJ chose not to abolish them, it did restrict their applicability.
For an SCC to be lawful, organizations and regulators must conduct a case-by-case analysis to determine whether protections concerning government access to personal data meet EU standards.
This may well lead organizations towards the same problems that invalidated the Privacy Shield.
For example, organizations in the US that use SCCs to receive personal data from the EU must inform the data exporter of any inability to ensure equivalent levels of protection. In those cases, the exporter will be required to suspend or terminate the data transfer under the SCCs.
The future of data transfers
Without the legal protection of the Privacy Shield, organizations are in a perilous position whenever they transfer personal data into or out of the EU, warned Brittany Roush, director of The Crypsis Group.
“It isn’t inconceivable that the courts could test the validity of the SCCs by taking on one of the U.S. tech giants, particularly in light of both Congress’s and the world’s recent focus on data privacy and the EU court’s position that U.S. surveillance laws run afoul of GDPR principles,” she said.
According to Tom de Cordier, partner at CMS, that might mean that multinationals might put forward “EU-only solutions targeted at European customers to hold their data over European territory in the cloud.”
In the meantime, November’s presidential election will have a major influence on the way organizations transfer personal data.
In recent years, several states have passed data protection and privacy laws, but there are increasing calls to addressed this issue on a federal level.
Last year, Representatives Anna Eshoo, D-Calif., and Zoe Lofgren, D-Calif, introduced the Online Privacy Act in the House of Representatives. The bill proposed a wide range of new rights for data subjects, but not only did it fail to gain bipartisan approval, it failed to win over even “moderate Democrats.”
Even if, or when, the House of Representatives agree on the content of a data privacy law, there is still no consensus on the extent to which federal data privacy legislation should pre-empt state law.
If you’re looking for advice on how to meet your requirements in the meantime, our EU–US GDPR Data Transfer Assessment and Action Plan contains everything you need.
Our team of experts will review your data transfer requirements and provide step-by-step advice on how to complete the process as efficiently as possible while also complying with your data protection requirements.