On July 17th, the Court of Justice of the European Union (CJEU) released its ruling that Privacy Shield is no longer an adequate method to transfer personal data from the European Economic Area (EEA) to the US.
With over 5,000 organizations holding the self-certification through the US Department of Commerce, in addition to the organizations transferring personal data to these organizations, this ruling will likely have an impact on all organizations transferring personal data from the EEA to the US. Alas, all is not lost, as there are other transfer mechanisms available, including standard contractual clauses (SCCs), GDPR derogations, and binding corporate rules (BCRs).
BCRs are safe for now. However, organizations relying on SCCs need to ensure the third country where they are transferring the personal data does not have conflicting laws to the SCCs. Organizations within countries that have laws that allow public authorities to access those organizations’ personal data will be unable to implement SCCs based on this ruling.
Organizations in the US subject to FISA 702 were provided as an example by Max Schrems as organizations that will be unable to rely on SCCs to transfer personal data, as FISA 702 contradicts the privacy rights provided to Europeans. FISA 702 is a provision of the FISA Amendments Act of 2008, which allows the US government to conduct targeted surveillance of foreign persons located outside the US with the assistance of electronic communication service providers to obtain foreign intelligence information.
If your organization is relying on Privacy Shield, we recommend you continue to adhere to the program’s obligations, as the FTC can still enforce it. Outside of continuing to comply with Privacy Shield, organizations should:
- Review personal data transfers and document any relying upon Privacy Shield
- Review the derogations and guidance surrounding the use of these
- Compile personal data transfers relying upon SCCs
- Determine any conflicts with third-country laws to ensure SCCs can continue to be relied upon
- Keep an eye out for guidance from the DPAs in Europe
- Monitor US and European Commission talks and next steps regarding adequacy