Greetings from Kittery, Maine!
Wow, what a day yesterday. After months of hoping that the EU's highest court would go easy on standard contractual clauses and the EU-U.S. Privacy Shield arrangement, the news thundered like a tidal wave. Like its predecessor, Safe Harbor, Privacy Shield is no more (though the Department of Commerce said it will continue to administer the Privacy Shield program). And, now, SCCs have additional requirements.
With more than 5,400 companies signed up for the framework and 87% of companies (that we surveyed last year) employing SCCs, this is obviously no small matter.
The U.S. had been putting on a good face of late. The Federal Trade Commission in recent months had been consistently doling out enforcement actions against noncompliant Shield participants, including a notable one that came down at the end of June. Heck, Fieldfisher's Paul Lanois analyzed the enforcement action for the IAPP this very week — it is a good one and still worth checking out.
But all the news isn't bad. SCCs are still valid, though there's a new layer of diligence that companies will need to apply: There must be protections in place in the third country to which EU data is transferred — specifically with regard to access by public authorities and judicial redress. It's no longer a check-the-box operation.
And as our own Omer Tene pointed out today, the "show must go on." Did the world end when Safe Harbor was invalidated? No. The sun still rose this morning, as it will tomorrow. True, the invalidation raises a host of new obligations, but privacy pros will find a way. You always do.
For the U.S., will the CJEU's decision help drive a federal privacy law? Well, in short, no.
The ultimate issue that undermined Shield was not the U.S. laws in the commercial space — the space that a federal law would address — it's the laws regulating public authorities in the national security and surveillance space. The EU is concerned about mass surveillance through the Foreign Intelligence Surveillance Act, Electronic Communications Privacy Act, Executive Order 12333, and Presidential Policy Directive 28. It's also concerned about the independence and authority of the U.S. ombudsman, an appointment by the president. These are issues that require changes that are hard to imagine in the current political reality right now.
Does that mean surveillance reform is impossible here in the U.S.? Of course not, but it's a tall order at the moment.
In the meantime, SCCs are still valid. The sun is up, the wave has crashed, and now the waters recede. There are ways to move ahead. Be sure we'll be here to share content to help you navigate these choppy waters. And if you have something to share or write about, don't hesitate to let us know. We're here for you.
If you want to comment on this post, you need to login.