Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back

U.S. Department of Commerce Responds to the Court of Justice of the European Union Ending EU-U.S. Privacy Shield

Written by: John Weaver

8/19/2020

Last month, the Court of Justice of the European Union (CJEU) struck down the 2016 data-sharing agreement between the United States and the European Union, which permitted personal data to be transferred from the EU to the United States consistent with European law, including the General Data Protection Regulation (GDPR). In doing so, the CJEU terminated the EU-U.S. Privacy Shield, the mechanism that many American companies have relied on to import European data to their facilities in the United States.

In response, the United States Department of Commerce, which administers the Privacy Shield program in the United States, has issued a FAQ. Although the Department has information for continuing to rely on the Swiss-U.S. Privacy Shield program, provides little guidance regarding the EU-U.S. Privacy Shield. The companies that have relied exclusively on the Privacy Shield for the transfer of data from the EU must immediately find other mechanisms to process European data that are consistent with European and American law, particularly the GDPR’s Standard Contractual Clauses (SCCs).

Privacy Shield

The EU-U.S. Privacy Shield program gave organizations in the United States a relatively easy path to legally import European personal data. A participating organization registered with the Department of Commerce, verifying that it will uphold defined privacy principles (e.g., notice, choice, access, and accountability), and submitting its privacy policy so that Commerce could confirm that the organization satisfies the principles. Annual re-certification was required thereafter. More than 5,000 companies are registered under the Privacy Shield program. By participating in the EU-U.S. Privacy Shield, American organizations did not have to rely on the SCCs, and many did not sign SCCs with their customers and vendors because the EU-U.S. Privacy Shield permitted the data transfers they needed.

CJEU Ruling

The CJEU ruling is the result of a long-standing legal fight pursued by an Austrian lawyer named Max Schrems to enforce European personal data protections on Facebook. This is not his first trip to the CJEU, which ruled in his favor in 2016 by striking down the predecessor to the EU-U.S. Privacy Shield, called the Safe Harbor rule. In striking down the EU-U.S. Privacy Shield, the CJEU pointed to United States’ privacy and surveillance laws, noting that American intelligence agencies have too much access to the user data accumulated by large technology companies and that European citizens are not able to effectively object to that access.

Although the CJEU struck down the EU-U.S. Privacy Shield, it specifically upheld the SCCs, which are EU-approved contractual clauses governing cross-border transfers of data. Although the language of the SCCs are designed to be non-negotiated, in some ways they impose a greater burdens on both the party in Europe providing the data and the party receiving data in the United States. European entities that export data to other countries pursuant to the SCCs are obligated to ensure that the recipients comply with the terms of the SCCs, which permit audits to ensure that compliance. In the wake of the CJEU’s recent decision, American companies should expect more of these audits. Although audits are required by the SCCs, some terms governing audits (e.g., distribution of costs, etc.) can be negotiated in data processing agreements.

Similarly, if the data supervisory authority of a European nation finds that the privacy laws of a data recipient’s country make compliance with the SCCs impossible, the supervisory authority may suspend data transfers conducted pursuant to the SCCs. It is likely that European supervisory authorities will undertake compliance reviews of the United States in the wake of the CJEU decision, which may further affect data transfers from the European Union.

Next Steps for American Companies

Every organization that imports personal data from the European, Switzerland, or the United Kingdom should immediately identify all the legal mechanisms it uses to facilitate those transfers. The mechanisms are most likely the Privacy Shield, the SCCs, or a combination of the two. Larger companies with a European presence may seek to move all their processing of European personal data to the EU, but that option will not be available for most companies.

Where data transfers are based on the EU-U.S. Privacy Shield, the organization should contact its clients and vendors about entering into the SCCS in order to make data transfers consistent with the CJEU ruling and European law. Indeed, many European customers are already reaching out to their American service providers about this. European organizations are likely to be more sensitive to the requirements of the SCCs going forward, so an American organization that is or will be a party to the SCCs needs to conduct a comprehensive assessment of its compliance with the terms of the SCCs and GDPR. This should be done with the assistance of experienced counsel, who can advise the organization on non-compliance, remediation, and responses to audit requests from European partners.

Additionally, although the Swiss-U.S. Privacy Shield remains intact, it is possible that the Swiss Federal Data Protection and Information Commissioner will issue a ruling following the guidance of the CJEU. American companies should therefore be prepared to rely solely on the SCCs to important relevant data from Switzerland.

Although there is likely to be a successor mechanism to the Privacy Shield, when and how that comes into existence is unknown. For the time being, companies that rely on trans-Atlantic data transfers for their operations should ensure that they have the necessary SCCs in place and that they can comply with the requirements of the SCCs.

Integrity and trust

At McLane Middleton we establish and maintain long-standing relationships with our clients to help us better achieve their unique goals over time. This approach to building trust requires that our esteemed lawyers and professionals use their broad, in-depth knowledge and work together with integrity to ascertain sound resolutions to legal matters for their clients.

Strength in numbers

McLane Middleton is made up of more than 105 attorneys who represent a broad range of clients throughout the region, delivering customized solutions. As a firm we are recognized as having the highest legal ability rating. The firm is rated Preeminent by Martindale Hubbell and is recognized as one of the nation's leading law firms in Chambers USA. Our attorneys are distinguished leaders in their respective practice areas.

Meet Our People

Commitment and collaboration

McLane Middleton's versatile group of attorneys and paralegals become trusted authorities on each case through collaboration. We work with our clients to learn their individual needs first and foremost and, together, we develop comprehensive solutions to their specific legal matters. This approach helps us exceed our clients' expectations efficiently and effectively, client by client, case by case.

Practice Areas

A history of excellence

McLane Middleton was established in 1919 in New Hampshire, and has five offices across two states. However, deep historical roots don't allow you to become innate. Our firm is organized, technological, and knowledgeable. Our history means we are recognized. But our reputation is built on the highest quality of service and experience in very specific areas of law.

The Firm

Intelligence paired with action

Our team continuously seeks opportunities to enhance their professional development and put key learnings to action. The pursuit of further insight guides us to volunteer service opportunities, speaking engagements, and teaching roles. Our lawyers are sought after thought leaders across their industries, and recipients of leadership awards throughout the region.