Nearly one month has passed since the Court of Justice of the European Union found the EU-U.S. Privacy Shield no longer provides a valid legal basis for data transfers from the EU to the U.S., immediately leaving thousands of organizations that both send and receive data in violation of their EU General Data Protection Regulation obligations.
Unfortunately, companies are still facing the same uncertainty today as the day of the decision.
Governments officials in the U.S. and EU have provided general updates and a renewed commitment for an “enhanced” framework, but this additional guidance instructed organizations relying on Privacy Shield on both sides of the Atlantic to determine for themselves how to best satisfy the Court’s interpretation of data transfer requirements. The U.S. Department of Commerce referred participants to contact the European Commission or data protection authorities with any questions. In turn the European Data Protection Board issued a set of FAQs expressing that the use of Privacy Shield will no longer meet GDPR requirements for data transfers and that organizations should use other methods such as binding corporate rules and standard contractual clauses.
Overlooked in the EDPB FAQs is the fact that instituting any different data transfer mechanism will take much time and resources, which leaves companies with a gap in their compliance. Making matters more confusing, some DPAs have indicated SCCs are valid, while others have said that there may not be any acceptable means of transferring data.
Amid all this uncertainty, the only thing that is clear is that completely and immediately stopping data flows is not an option. The good news is that while no official grace period has been announced, there likely will be a period where DPAs allow organizations to move toward reestablishing compliance rather than undertake immediate enforcement actions. Moreover, the DPAs are facing extremely limited resources and will not be able to simultaneously investigate 5,500 Privacy Shield participants and the thousands more organizations that rely on them.
Reviewing and updating all existing contracts will take time and require additional guidance regarding supplementary measures. Many organizations are likely now asking themselves whether they should simply reallocate the resources used for Privacy Shield compliance towards other transfer mechanisms or aspects of compliance. As the recent economic uncertainty has forced tough decisions on where to invest money and employee time, there is a question of whether Privacy Shield has any value at all.
However, simply leaving the Privacy Shield program or disregarding its principles would be a mistake, particularly for those organizations that have already built an entire sophisticated compliance program and developed products and services with Privacy Shield in mind. Even without the primary purpose of satisfying GDPR data transfer requirements, the Privacy Shield principles will continue to provide a return on investment for several reasons:
- Privacy Shield obligations are still binding. While Privacy Shield is no longer a valid mechanism for data transfers from the EU, it is still a valid commitment toward certain data privacy requirements and you must continue meeting your commitments. Failing to follow the Privacy Shield principles or misrepresenting continued participation could result in U.S. Federal Trade Commission enforcement; the FTC has issued a statement indicating they “expect companies to continue to comply with their ongoing obligations.” Commerce also echoed this sentiment in their recent FAQ.
- Privacy Shield still serves as a blueprint towards meeting GDPR obligations, including those covering data minimization, retention, and data subject rights. If you are operating as a data processor and importing data from an EU controller, implementing SCCs only satisfy GDPR data transfer obligations; you still must meet other GDPR requirements when processing data. The same requirements exist if you are a consumer-facing organization that is directly collecting data from EU residents; you need to establish alternative transfer methods, but the recent decision does not alter the rest of your GDPR obligations. In the short term, nothing about the recent decision should result in a change to the way EU data subjects’ data is processed.
- Privacy Shield principles may also serve as a form of “supplementary measures.” The court decisions, recent statements by DPAs, and the EDPB FAQs indicated that all data transfers must now be analyzed on a case-by-case basis and provide additional safeguards or supplementary measures that demonstrate an essentially equivalent level of protection as the GDPR. This applies for all transfer mechanisms, including SCCs. Supplementary measures are still undefined but some DPAs have hinted that the broader Privacy Shield principles might be one way to meet that standard.
- Privacy Shield creates a foundation for compliance with more than GDPR. Building a data protection plan that satisfies the principles means that your organization is well on the way to meeting privacy requirements for most of the U.S. and rest of the world too. While there are some notable differences across jurisdictions (such as data breach reporting requirements, age restrictions, and sectoral rules) that will require customization, the Privacy Shield criteria meet or exceed most data privacy regulations because the GDPR serves as the basis for many national data protection regimes and is often more comprehensive than other non-adequate countries.
- Privacy Shield may return in a new form. On August 10, the U.S. and EU announced that they will work together to “evaluate the potential for an enhanced EU-U.S. Privacy Shield framework to comply with” the Court’s judgment. Any new agreement will likely require material changes of the U.S. government obligations, but the Court decision did not indicate changes needed to be made to the private sector obligations. While the use of qualifiers and purposefully vague language does little to reassure those looking for answers in the short term, it is important to remember the original Privacy Shield took more than a year to negotiate following the invalidation of Safe Harbor, so there could very well be an updated agreement before the end of next year.
Regardless of the alternative data transfer mechanism chosen, there is no easy fix. Complying with the Privacy Shield principles, and data protection more broadly, is not meant to be a check-the-box exercise. However, as organizations move toward filling in the compliance gaps caused by the invalidation of Privacy Shield, they should remember that there is still value in following the obligations. The court may have invalidated the Privacy Shield as a data transfer mechanism but it didn’t negate the many other principles that underlie the Privacy Shield.
Maintaining a well-built data protection compliance program is not a sunk cost but one that will continue to provide a return on investment.
Photo by Johannes Plenio on Unsplash
If you want to comment on this post, you need to login.