Bottom Line
As of July 16th, Privacy Shield is dead and companies exporting personal data of EU residents to the United States will need to rely on alternative legal measures to legitimize the transfer; further guidance and new compliance measures are expected in the near future.
Case Summary
The Court of Justice of the European Union (“CJEU”) issued its decision in Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems ("Schrems II") on July 16, invalidating the EU-U.S. Privacy Shield regime that previously governed the export of personal data of EU residents outside of the EU and European Economic Area (“EEA”). Following the decision, the CJEU published a press release to contextualize the case and its significance in international privacy law.
This decision impacts thousands of corporate organizations on both sides of the Atlantic that collect data from EU residents. Although Schrems II has cast uncertainty over data export privacy law, there are key actions organizations can take to comply with the General Data Protection Regulation (“GDPR”) which is the overarching data privacy regulation in the EU that applies to the export of EU resident data to third countries.
Does the GDPR apply to my organization?
If your organization collects personal data of EU residents, the GDPR applies to your privacy practices. This includes organizations that license or sell software to data controllers, or clients who use your product to collect user data. Often organizations and controllers will use a third-party sub-processor to analyze and utilize data. The GDPR forbids the export of EU resident data to countries outside of the EEA unless it deems the third country privacy laws “adequate,” or privacy controls are implemented.
Before Schrems-II, organizations could comply with GDPR by the following methods:
- Entering into a Data Processing Agreements drafted in accordance with the GDPR Articles to guarantee that controllers and sub-processors would protect EU resident information;
- Meeting Privacy Shield requirements, or adequate third country national privacy standards (“Adequacy Agreements”); and
- Including controller-to-processor SCCs in Data Processing Agreements in lieu of an Adequacy Agreement, or to further ensure privacy compliance.
Currently, Canada is deemed to have an adequate level of protection under the Personal Information and Electronic Documents Act, as found in decision 2002/2/EC: Commission Decision, which was released in 2001. However, that decision could be revisited and overturned as it pre-dates GDPR which introduced more stringent EU data protection standards.
If you are a Canadian organization but utilize sub-processors located in a jurisdiction with an Adequacy Agreement, you require a Data Processing Agreement but do not need to include SCCs to lawfully export EU resident data. However, the Schrems II ruling now holds that the EU–U.S. Privacy Shield is not adequate to protect EU resident data from use by U.S. public authorities. U.S. organizations can no longer ensure legal data exportation by meeting the adequacy requirement, but the CJEU suggests that organizations can continue to use SCCs in Data Processing Agreements with U.S. organizations to comply with GDPR. However, organizations should be cautious of over-reliance on existing SCCs: the Schrems II judgement is ambiguous as to whether the SCCs will be sufficient to meet the adequacy requirement in all cases moving forward. The ruling suggests that exporting organizations should conduct a thorough due diligence check to ensure that internal and jurisdictional privacy protections of U.S. and third country sub-processors are compliant with EU standards.
Moving forward and maintaining GDPR compliance
Although the Schrems II ruling has caused uncertainty, and although it is unclear whether the CJEU will offer organizations a compliance grace period as they did with the Safe Harbour decision, there are immediate actions your organization can take for compliance with GDPR privacy requirements.
First, it is important to understand precisely what data is covered by GDPR. The European Commission defines “personal data” as “any information that relates to an identified or identifiable living individual” which may cover data your organization collects.
Second, many Data Processing Agreements already include SCCs as a matter of standard practice – assess existing contracts to see if SCCs are in place. Schrems II is somewhat ambiguous as to whether SCCs are sufficient in all cases to meet the adequacy requirement, so your organization should evaluate whether existing SCCs offer sufficient protection regarding access by U.S. public authorities and adhere to EU privacy laws. Regardless, ensure that SCCs clearly outline privacy protections your organization has in place.
Third, expect that EU Privacy Regulators will release further regulations and revised processes for data protection. Your organization may wish to seek advice from an EU legal expert to keep informed of further legal developments. For example, the Data Protection Commissioner in Ireland has released a statement regarding the CJEU decision that provides some insight into the future of data protection.
Fourth, be proactive in implementing updated data privacy practices to address the invalidity of Privacy Shield, including adopting binding corporate privacy rules to create a plan for how your organization will safeguard different types of information.
EU Legal Advice
The information contained herein is intended for general information purposes only and should not be relied on as legal advice intended for any specific business or circumstances. You should consult with E.U. legal counsel for specific advice on what your company needs (if anything) to do in light of the matters outlined herein and more generally to comply with the GDPR and other European privacy laws.
|
|
|
|
