Each month, new developments in European privacy law demonstrate both how the times are changing, and how the 2010 Standard Contractual Clauses are increasingly antiquated.  Last month, the Commission of the European Union (the “Commission”) published two preliminary implementing decisions:

(1) a draft new set of standard contractual clauses for transfers of personal data from the EU to third countries (the “Cross-Border SCCs”); and

(2) a draft of new standard contractual clauses for certain clauses in controller-processor data processing agreements (“DPAs”) pursuant to Article 28(7) of the General Data Protection Regulations (“GDPR”).

Both drafts, available here, were widely anticipated following the Court of Justice of the European Union (“CJEU”) Schrems II decision, which invalidated the EU-US Privacy Shield framework for cross-border data transfer. Once approved, these new clauses will replace the previous standard contractual clauses used by organizations as an appropriate safeguard for making international transfers of personal data under GDPR.Continue Reading Oh the Times (and the Clauses), They are a-Changing’

What is Privacy Shield?  Since 2016, U.S. companies and organizations receiving personal data relating to individuals in the European Union have relied upon a self-certification program known as Privacy Shield. Rather than enter into numerous agreements and meet other requirements to process the personal data of individuals in the EU, U.S. companies have been able to self-certify to a level of compliance to meet EU law. Privacy Shield serves to address the General Data Protection Regulation’s (GDPR) requirement that adequate safeguards be in place for the protection of transatlantic transfers of personal data and the receiving entity’s handling of that data. Under Privacy Shield, self-certified companies that comply with the agreement’s requirements are considered to have met the EU’s higher standard for data privacy and obtained some level of “adequacy.” Since its implementation, more than 5,300 companies have operated under its terms. The future of Privacy Shield, however, is now in jeopardy.

EU Court holds Privacy Shield to be Inadequate.  On July 16, 2020, Europe’s highest court, the Court of Justice of the European Union (CJEU) held that United States law is inadequate to protect EU citizens’ personal data to the extent that EU law requires. Specifically, the CJEU held that the “limitations on the protection of personal data arising from the domestic law of the United States, on the access and use by U.S. public authorities of such data transferred from the European Union… are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law.” To put it another way, Privacy Shield’s fundamental flaw, according to the court, is not so much that member companies’ practices are inadequate, but rather that the U.S. government cannot be trusted to maintain the confidentiality, integrity, and availability of personal data.  Specifically, the justices found that federal laws such as the Foreign Intelligence Surveillance Act “cannot be regarded as limited to what is strictly necessary” and fails to meet “minimum safeguards” guaranteed by the EU.
Continue Reading Warning! Shields are Down: Top EU Court Invalidates EU-US Privacy Shield Protections