As you may be aware, last Thursday the Court of Justice of the European Union (CJEU) issued a dramatic opinion in the Schrems II case that invalidated the EU-U.S. Privacy Shield Agreement and called into question the extent to which U.S. companies can rely on the EU Standard Contractual Clauses (SCCs) as the basis for data transfers.
We know companies, especially those that participate in the EU-U.S. Privacy Shield, have a lot of questions about the practical implications of this decision. So, we wanted to share a few initial thoughts on some concrete steps companies can take in response. Here are our top six:
1. Maintain Compliance
If you process EU personal data, you must continue to comply with the GDPR. Nearly everything a company does to stay in compliance with the Privacy Shield is also necessary to comply with the GDPR itself (with the exception of a few formalities associated with signing up for, and annual recertification of, Privacy Shield participation). Further, to the extent you collected EU data under a promise to protect it according to Shield principles, that commitment is ongoing for as long as you retain that data, even though the EU Shield is no longer a valid means of data transfer. Additionally, The Swiss-U.S. Privacy Shield is still in effect (for now), so participants in that program need to maintain compliance. So, keep your compliance programs in place. These should remain part of your baseline compliance activities for European data.
2. Review Your Privacy Statement(s)
As a Privacy Shield participant, your company’s privacy statements will have certain language required by Privacy Shield. Companies have several options with regard to that language. At the highest level, your decision will be whether to maintain, revise, or remove that language from your privacy statements.
Option 1: Maintain Privacy Shield Language. Some companies may want to maintain their Privacy Shield language to convey that they still treat EU data according to EU standards even though the EU Shield as a method for transfer is invalid.
However, if you wish to keep Privacy Shield language in your privacy statements, you should make sure that it does not state that you rely on the Privacy Shield as a legal basis for transferring data from the EU. If you have language suggesting that you rely on the Privacy Shield as a basis for transfers from the EU or the UK, European regulators will find that problematic. Instead, you should make sure that your privacy statements just say that your company protects EU data according to the Shield principles.
You could even acknowledge the Schrems decision by stating something like: “although the EU-U.S. Privacy Shield has been ruled invalid, while government discussions regarding possible replacement mechanisms proceed, we will continue to protect European data according to the standards of the Privacy Shield and applicable EU law.” If, however, you modify the Shield language to such an extent that it no longer meets the requirements of Shield participation, you will need to formally withdraw from the EU Shield as described in Option 2 below.
Also, keep in mind that if you maintain Privacy Shield language in your privacy statements, the FTC can continue to bring cases if they find those statements to be deceptive – for example, if the FTC finds that you have failed to meet those Shield standards.
Option 2: Remove the Privacy Shield Language and Withdraw from Shield Participation. Given the factors noted above, companies should consider removing mention of the Privacy Shield from privacy statements. This approach avoids the risk of a deceptiveness action by the FTC if you do not comply with the Shield principles for any new data you collect. However, doing so will mean that your company no longer meets the requirements of Shield participation. The U.S. Commerce Department has indicated it will continue to maintain and operate the program which requires that you formally withdraw from the EU-U.S. Privacy Shield program if you will no longer meet the notice requirements. We note that with respect to data it collected prior to withdrawal, companies will have continuing obligations to comply with Shield principles, including, for example, annually demonstrating that compliance to the Department of Commerce or by providing "adequate" protection for the information by another authorized means.
Note that for either approach above you will still need to maintain notice language required by GDPR and if you participate in the Swiss-U.S. Privacy Shield, you will need to maintain the required disclosures for as long as that agreement is valid and you maintain your participation.
3. Update Contracts with Third Parties
Depending on how much your company relied on the Privacy Shield for data transfers, it is possible that many of your agreements with vendors and partners did not contain the standard contractual clauses (SCCs), also known as “model clauses,” or another acceptable basis for transferring the data. Where your contracts specify that the Privacy Shield is the sole legal basis for data transfers from the EU, addressing those contracts would be a top priority.
Where possible, we advise adding SCCs to your existing contracts, and to new contracts going forward, even where there may be other possible bases for transfers available to you or your vendors. But for your vendor contracts, you may wish to allow vendors the flexibility to use any and all valid transfer methods at its disposal, since this could future-proof contracts if one method is struck down.
Is adding SCCs to your contracts enough? It depends. The CJEU also held that SCCs may be insufficient in some scenarios, and European data protection authorities (DPAs) can review and invalidate SCCs on a case-by-case basis. Thus, in some cases, it may be necessary to add “additional safeguards” – particularly if the nature of the company, services, or data involved makes it more likely that U.S. law enforcement or national security agencies may seek to obtain personal data. We are still awaiting guidance on this issue, but we anticipate that, for example, contracts could include obligations that would make it less likely government actors may seek or obtain data, such as security measures (e.g. end-to-end encryption, commitments regarding how the company will respond to government requests, or other steps the company could take to help mitigate the privacy impact of government requests).
4. Consider Intra-Company Agreements
If your company has a European subsidiary or affiliate, you can put in place intra-company agreements between the EU entity (as data exporter) and non-EU entities (as data importers) to help legitimize transfer of data within your corporate group. These agreements would contain the SCCs and may also include some additional safeguards such as those described above.
5. Other Strategies to Consider
There are other strategies that can be considered by the companies that have the resources and means to do so. Another valid transfer strategy is Binding Corporate Rules – a set of data protection policies within a corporate group that, once reviewed and approved by European DPAs, will allow global data transfers within the group. Unfortunately, the processes for obtaining approval can be very lengthy and costly. We have heard of delays of several years. Thus, this is not a helpful short-term strategy.
Companies can also consider storing as much of their personal data as possible in Europe. Alternatively, companies could consider storing data in one of the few countries that have been found by the European Commission to provide “adequate” protections. This can minimize the data transfers and thereby minimize the risk of having transfers found to be invalid. Keep in mind, however, that this is unlikely to be a complete solution, because even occasional access to that data by personnel outside of Europe (or an “adequate” country) will constitute a data transfer that will need to be supported by a valid legal basis.
6. Watch for Further Development, Stay Nimble, and Be Zen.
This court decision is new and changes the landscape in some dramatic ways, but it is far from the last word on how this will all play out. EU regulators will provide additional guidance in the weeks and months to come. The Irish DPA will eventually conclude the case involving Facebook that led to this decision, and the resolution of that case and how Facebook responds will undoubtedly provide some degree of road map for other companies.
It is possible that the U.S. Commerce Department and the European Commission could negotiate a new agreement to replace the Privacy Shield. But to the extent that the European court left open a path for such an agreement, it is a narrow one, and we should not rely on there being a new agreement anytime soon.
All U.S. companies that relied on the Privacy Shield will need to take some short-term steps to fill gaps created by this decision. But strategies and approaches may need to evolve in light of future guidance and developments. So, this will be an ongoing process to assess and address risk relating to European data transfers.
But you are not facing these challenges alone. Thousands of U.S. companies are struggling to understand the risks and develop strategies to move forward. So, we're all in this together, and we are here to provide any guidance or support you may need as you consider options.