One Move Ahead

Legal & Tax Alerts

The EU-US Privacy Shield No Longer Considered Vigilant Enough For Personal Data Transfers; SCCs Remain Valid

Publication: ZRVP

A recent judgement issued by the Court of Justice of the European Union invalidated its previous decision on the adequacy of the protection provided by the EU-US Privacy Shield. As a consequence, the EU-US Privacy Shield Framework is no longer considered a valid mechanism as it does not comply with EU data protection requirements when transferring personal data from the European Union to the United States.

 

The EU-US Privacy Shield framework was one of the applicable mechanisms that could be used by commercial partners on both sides of the Atlantic when transferring personal data from the European Union to the United States, ensuring compliance with data protection requirements in the EU. The framework aimed at protecting individual privacy and ensuring the continuity of commercial data transfers. According to Forbes, about 5,000 companies currently rely on the framework to transfer personal data to the US, and these transfers contribute to transatlantic trade, which is worth about £5.6 trillion.

The judgement of the Court was challenged in the case known as Schrems II and directly impacts both European companies doing business in the United States as well as American companies, of which over 70 percent are small and medium enterprises. The decision triggers the necessity to re-evaluate the already fulfilled data transfers between the involved companies and to establish a set of new rules permitted by the current valid mechanisms of data protection.

An alternative mechanism for transatlantic partnerships that could be applicable would be the use of the Standard Contractual Clauses (“SCC”) for data transfers between the EU and non-EU countries. SCCs are considered to be a secure solution for international data transfer. These specific model clauses are designated to be applicable when the receiving party is subject to a third country’s legal system that does not ensure the adequate protection for data subjects’ rights.

Another possibility offered to international partnerships that allows personal data transfer within a limited circle is the use of Binding Corporate Rules (BCR). Such set of rules drafted by the interested company should be in line with the European data protection principles and be further validated by the responsible authorities.

Beyond the massive implications for data transfers to the US, the decision will place a greater burden on businesses exporting data to other countries via SCCs or other available instruments. It will also require more work from EU supervisory authorities, many of which are already faced with limited resources.

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.

BUSINESS CONTINUITY AT ZRVP

The COVID-19 crisis is fast-moving and hard to predict. At ZRVP, our highest priority is the health and wellbeing of our people, our clients and our communities.

Our response measures are aligned with the recommendations and decisions of the Romanian authorities and ensure the safety of our people and visitors as well as the continued provision of key client services and operations.

We would like to assure you that ZRVP will continue to operate seamlessly during the next period, both remotely and at our offices. We will provide continuous legal service to all our clients and assist you in the navigation of the wide range of legal and economic impacts of COVID-19 that are leading to uncertainty and volatility across all sectors. We are closely monitoring the situation as it evolves and will provide up-to-date information related to the wide range of issues arising during this challenging time.

In the meantime, if you would like to contact any of our team members, please use the usual contact details.

 

Kind regards,
Your ZRVP team