EU-U.S. Data Transfers Under Fresh Spotlight Following Irish DPC Ruling

Pillsbury Winthrop Shaw Pittman LLP
Contact

Pillsbury Winthrop Shaw Pittman LLP

TAKEAWAYS

  • Today, the Irish High Court ruled that Ireland’s Data Protection Commissioner (DPC) can resume investigation of Facebook’s data practices, which may lead to a ban on its transatlantic data flows.
  • The DPC had issued a Preliminary Draft Decision (PDD) that the mechanism relied upon, Standard Contractual Clauses (SCCs), and which many other businesses rely upon also, cannot in practice be used. The court’s rejection of the challenge to the PDD could, therefore, have serious consequences for EU-U.S. data flows.
  • Businesses will, therefore, need to watch developments re any ban based on current SCCs use and urgently review what processes and documentation may need to change to reflect that and/or look to possibly use new SCCs, drafts of which were recently proposed by the European Commission.

Today saw a key ruling by the Irish High Court which could have wide ranging implications in relation to a range of data use, targeted advertising and data transfers between Europe and the United States.

The Irish data protection enforcer, the DPC, had issued a Preliminary Draft Decision (PDD) raising various concerns over the lack of privacy rights of EU citizens when their personal data is transferred to the U.S. for commercial purposes and the basis typically relied upon by businesses, namely, the Standard Contractual Clauses (SCCs).

SCCs are pre-approved terms that, if used correctly, can provide a basis for transferring European data to the U.S. and avoid the GDPR prohibitions on such transfers (given the U.S. is not deemed to provide adequate protections).

In a July 2020 ruling (known as Schrems II), Europe’s top court had looked at both SCCs and the Privacy Shield data transfer scheme, only to shoot down Privacy Shield. Although various points and concerns were flagged in that ruling, SCCs survived. As a result many businesses have sought comfort in using SCCs as their basis for transatlantic data flows.

This latest Irish DPC decision now threatens to have a significant ripple effect as it throws a cloud over use of the current SCCs. Other regulators in European countries (whether the EU or UK) will be watching with interest and could adopt similar enforcement guidelines. With Privacy Shield shot down many businesses that could not use it had turned to using SCCs.

One possible silver lining does exist in the form of new draft SCCs, which were published by the European Commission at the end of 2020. These were intended to update the current “old” SCCs in any event and have been going through consultation and review stages.

There is no set date for when these will be able to be used but the hope was it could be later this year.

The bottom line for businesses is that they should be aware we may be headed for a prohibition or restriction on EU-U.S. data flows. Accordingly, businesses should now review what basis they are relying on for their data transfers and consider what they need to do to best anticipate and be ready for such changes.

As a minimum, it would be prudent to consider now what processes, agreements and documentation may need to change.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Pillsbury Winthrop Shaw Pittman LLP | Attorney Advertising

Written by:

Pillsbury Winthrop Shaw Pittman LLP
Contact
more
less

Pillsbury Winthrop Shaw Pittman LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.