No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

Privacy Shield is Dead! Long Live Standard Contractual Clauses! (For Now…)

The Impact of the Decision from the Court of Justice of the EU

by Morgan Jones and Scott M. Smedresman
August 6, 2020
in Data Privacy, Featured
Businessman hand holding sign general data protection regulation (GDPR) and shield with key icon

The CJEU’s recent decision in Schrems II invalidated the Privacy Shield, but held that standard contractual clauses remain a valid method to protect data exported from the EU. Morgan Jones and Scott Smedresman discuss the practical implications of the decision.

The Court of Justice of the European Union (CJEU, the EU’s highest court) has delivered its long-awaited decision in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (commonly referred to as Schrems II), invalidating the Privacy Shield as an acceptable method of data export for EU companies into the U.S. but retaining standard contractual clauses (SCCs) as an acceptable method — with a big caveat.

How did the CJEU arrive at these decisions?

The court first looked at what the General Data Protection Regulation (GDPR) required when transferring data to “third countries” or countries outside the EU and countries the European Commission had deemed as providing an “adequate level of protection.” It found that the GDPR required an “appropriate safeguard” to be used to protect the transfer of personal data to one of these third countries, which will provide “a level of protection of fundamental rights essentially equivalent to that guaranteed in the EU…”

In its review of the EU-U.S. Privacy Shield, the CJEU found the Privacy Shield is subject to the national security requirements of the U.S., such as the Foreign Intelligence Surveillance Act §702, Executive Order 12333 and Presidential Policy Directive 28, none of which are bound to the principles of the Privacy Shield and some of which do not require U.S. intelligence agencies to abide by the GDPR concept of proportionality (collecting and using only data that is “necessary” for the purpose) and/or do not offer EU citizens the same degree of remedies as U.S. citizens (in some cases none at all, including judicial review) for violations of their data privacy rights.

For these reasons, the CJEU held that the EU-U.S. Privacy Shield did not offer an “essentially equivalent level of protection” and could not be an “adequate safeguard” for the transfer of data. Therefore, the CJEU held that the EU-U.S. Privacy Shield is no longer an acceptable method of data transfer to the U.S. under the GDPR.

With respect to SCCs, the court found that, as with Privacy Shield, U.S. authorities would be able to access data under laws created for national security purposes. But the CJEU held that, unlike the EU-U.S. Privacy Shield, the SCCs remain a valid method to protect data being exported from the EU.

Here, the court’s reasoning focused on the fact that the SCCs require the data controller or data processor that is exporting data from the EU to conduct an analysis of the level of protection of the destination third country and to take additional steps to guarantee protection if necessary. Such steps will depend on specific circumstances but may involve conducting an in-depth analysis of the data importer’s ability to meet its SCC obligations and/or contractually imposing guidelines on U.S. data importers for responding to requests by U.S. public authorities.

Guidance on this analysis is anticipated in the immediate future from the various data protection authorities (DPAs) across the EU, as well as the European Data Protection Board (a group comprised of the heads of all the DPAs). Further, in the event that the data exporter cannot guarantee sufficient protection, an EU citizen can complain to the relevant DPA, which can (and should, in the opinion of the court) force the exporter to limit or suspend data flows as appropriate.

What does this mean from a practical perspective?

It means that the more than 5,300 companies that successfully went through the EU-U.S. Privacy Shield self-certification program may not value their next renewal, but should do the following:

  • Continue to abide by the Privacy Shield principles as they are required to do for any data collected under Privacy Shield, even though they are no longer certified, and notify the Department of Commerce and customers of the same.
  • Determine what data is subject to a transfer from the EU and could be affected by this decision (subject to review for national security, etc.).
  • Review their agreements (especially those with EU customers and business partners) to determine whether this decision requires them to take a specific action:
    • If their data protection agreements with EU customers and/or partners provide for transfer under SCCs, even as a backup to Privacy Shield, they should still be valid. Companies may wish to update the agreements, though, to rely solely on SCCs.
    • If companies rely exclusively on the EU-U.S. Privacy Shield, they should review agreements, especially those with customers in the EU, to find an alternative:
      • SCCs. Parties should quickly provide to customers/partners an updated document incorporating the SCCs, as they are still valid, and offer a quick and comparatively inexpensive solution.
      • Derogations. In limited and specific instances, when there is no appropriate safeguard, a data exporter can rely on derogations under GDPR Article 49 in transferring data to a third country, but an in-depth legal analysis is required, and this should not be a blanket alternative.
      • De-identify/anonymize data. Once personal data that is subject to the GDPR has been irreversibly de-identified or anonymized, it is no longer subject to the GDPR. If it is a financially and practically viable option, companies should consider having EU customers perform this step before exporting data to the U.S.
      • Binding corporate rules (BCRs). Although technically an option, BCRs are a costly and lengthy process involving approval by a European DPA and are not practical for many U.S. companies.
  • If companies are importing personal data from Switzerland, the Swiss-U.S. Privacy Shield program remains valid, and it may be worth it for a company to continue participating in Privacy Shield for this purpose.

Tags: GDPRPrivacy Shield
Previous Post

Diversity, Inclusion, Wellness and Socially Responsible Work

Next Post

DOJ Creates New Burden for Compliance Officers

Morgan Jones and Scott M. Smedresman

Morgan Jones and Scott M. Smedresman

Morgan Jones is an associate in the East Brunswick, New Jersey office of McCarter & English LLP. He represents early- and growth-stage technology companies through all stages of the technology life cycle, from structuring, formation, financing, licensing and data matters through exit.
Scott M. Smedresman is a partner in the New York office of McCarter & English LLP. He represents early- and growth-stage technology companies through all stages of the technology life cycle, from structuring, formation, financing, licensing and data matters through exit.

Related Posts

gdpr

UK Resurrects Data Protection Reforms, EU Court Rules on GDPR in Civil Cases

by Jonathan Armstrong and André Bywater
March 15, 2023

Recent courtroom and legislative action in Europe will likely have ripple effects around the world for companies subject to regulations...

eu flag

Preparing Your Company for the Latest GDPR Data Transfer Developments & Upcoming Deadlines

by Kevin L. Coy
November 30, 2022

An EU court decision and legislative moves in the U.S. and UK make compliance with privacy regulations increasingly difficult. Arnall...

minidata_b

Honey, I Shrunk the Data: How to Keep Customer Info on a Need-to-Know Basis

by Parker Poe
November 30, 2022

It may be tempting to hoard the data you have gathered on your customers, but an increasing number of regulations...

uk ico data access

UK’s Data Protection Regulator Signals Crackdown on Access Request Violations

by Jonathan Armstrong and André Bywater
October 5, 2022

Data privacy laws in the EU and UK established the right of individuals to find out what personal information organizations...

Next Post
illustration of businessman laboring under heavy burden

DOJ Creates New Burden for Compliance Officers

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT