The EU-US Privacy Shield No Longer Considered Vigilant Enough For Personal Data Transfers; SCCs Remain Valid
A recent judgement issued by the Court of Justice of the European Union invalidated its previous decision on the adequacy of the protection provided by the EU-US Privacy Shield. As a consequence, the EU-US Privacy Shield Framework is no longer considered a valid mechanism as it does not comply with EU data protection requirements when transferring personal data from the European Union to the United States.
The EU-US Privacy Shield framework was one of the applicable mechanisms that could be used by commercial partners on both sides of the Atlantic when transferring personal data from the European Union to the United States, ensuring compliance with data protection requirements in the EU. The framework aimed at protecting individual privacy and ensuring the continuity of commercial data transfers. According to Forbes, about 5,000 companies currently rely on the framework to transfer personal data to the US, and these transfers contribute to transatlantic trade, which is worth about £5.6 trillion.
The judgement of the Court was challenged in the case known as Schrems II and directly impacts both European companies doing business in the United States as well as American companies, of which over 70 percent are small and medium enterprises. The decision triggers the necessity to re-evaluate the already fulfilled data transfers between the involved companies and to establish a set of new rules permitted by the current valid mechanisms of data protection.
An alternative mechanism for transatlantic partnerships that could be applicable would be the use of the Standard Contractual Clauses (“SCC”) for data transfers between the EU and non-EU countries. SCCs are considered to be a secure solution for international data transfer. These specific model clauses are designated to be applicable when the receiving party is subject to a third country’s legal system that does not ensure the adequate protection for data subjects’ rights.
Another possibility offered to international partnerships that allows personal data transfer within a limited circle is the use of Binding Corporate Rules (BCR). Such set of rules drafted by the interested company should be in line with the European data protection principles and be further validated by the responsible authorities.
Beyond the massive implications for data transfers to the US, the decision will place a greater burden on businesses exporting data to other countries via SCCs or other available instruments. It will also require more work from EU supervisory authorities, many of which are already faced with limited resources.