With both Privacy Shield and standard contractual clauses being challenged in court, it is important to prepare accordingly and not completely rely upon one mechanism to ensure that the transatlantic data flow may continue legally. The European Commission provides three different mechanisms that allow a legal data exchange: Privacy Shield, standard contractual clauses, and binding corporate rules. The +1 approach, explained below, sees companies adopting two of the above mechanisms to guarantee the data flow may continue should one of the mechanism be invalidated by the Court of Justice of the European Union.
The U.S. Department of Commerce and European Commission adopted the Privacy Shield agreement to provide companies in both the U.S. and EU with a mechanism to comply with data security requirements and legally transfer data from the EU to the U.S. in support of global commerce. Privacy Shield is an inexpensive, self-certification mechanism that is relatively easy to apply to and achieve certification. However, Privacy Shield is currently being challenged in the Irish High Court and could go the way of Safe Harbor, ultimately being invalidated.
Before the Privacy Shield, the European Commission adopted standard contractual clauses, offering sufficient safeguards as required by EU law. Essentially, use of these clauses allows organizations to legally transfer personal data outside of the EU. They're designed to ensure a sufficient level of protection, and companies that use them will benefit from favorable treatment (i.e., EU nations are legally obligated to acknowledge that the standard contractual clauses fulfill the privacy requirements and therefore may not refuse the transfer, except in limited circumstances). Like Privacy Shield, standard contractual clauses are also an inexpensive and relatively easy mechanism for organizations to use.
However, also similar to Privacy Shield, standard contractual clauses are in trouble. They're being challenged in the Irish High Court as not ensuring a sufficient level of data security as required by EU law. It’s difficult to predict how the court will rule in both cases, but, when considered with the precedent set by Safe Harbor, solely relying upon Privacy Shield or standard contractual clauses is not recommended.
The last mechanism, binding corporate rules, are codes of conduct ensuring a sufficient level of data protection that organizations voluntarily adopt and follow. Companies draft the rules themselves, then submit them to the data protection authorities for approval. Once approved, the organization can legally transfer data between businesses that are part of the same corporate group that have adopted the approved corporate rules. Unlike Privacy Shield and standard contractual clauses, BCRs are expensive and can take months, even years, to fully implement and have approved. However, BCRs are the only mechanism not currently being challenged in court.
It is important to remember that these mechanisms are not guaranteed long-term solutions. Since Safe Harbor’s invalidation, almost every mechanism has come under fire and been threatened as potentially next on the chopping block. Despite this, counselors should consider adopting at least two of these mechanisms, thus ensuring a continued flow of data should a method become invalidated in the future.
There are a number of factors that must be considered in an organization’s decision of whether to adopt BCRs, standard contracts, or to self-certify for Privacy Shield. The size of the company, the industry they do business in, and the type of data being stored are just a few issues that need to be considered. Ultimately, the best practice is to hire outside counsel who specializes in cybersecurity to provide guidance on the best mechanisms to fit your individual organization’s or client’s needs.
That said, the +1 approach eliminates the risk of an organization incurring any fines or penalties by being out of compliance with heavily regulated laws and regulations, should one mechanism become obsolete.
If you want to comment on this post, you need to login.