Following the decision last week by the Court of Justice of the European Union (CJEU) to invalidate the EU-U.S. Privacy Shield (further details on the decision can be read here), the question asked by many businesses has been: we transfer personal data to the U.S., what should we do now? The answers to that question are not straightforward and likely will evolve as regulatory and political reactions to the decision unfold. However, we do recommend that companies that transfer data from the EEA (European Economic Area) to the United States take several steps now.
- Map Data Flows: Conduct a review of all international data transfer activities involving EEA personal data and develop a map of all affected transfers, including details of the relevant parties (be they group companies or other third parties such as vendors, stakeholders, customers or the like).
- Develop Action Plan: Document an actionable plan for operationalizing next steps within the business, including prioritizing data flows based on, for example, the volume or sensitivity of the data involved or the importance of the transfer for the business.For those data flows involving third parties such as vendors, the plan should consider whether the business itself will select and implement an alternative mechanism (if needed) or whether the third party is best positioned to lead the change.
- Continued Compliance: Whilst mapping data flows and developing the action plan, businesses that rely on Privacy Shield to transfer personal data should continue to do so, and those certified with Privacy Shield should continue to comply with their Privacy Shield obligations.
- Select and Implement Suitable Alternative Mechanism: For impacted data flows, the business should consider which alternative transfer mechanism is most suitable for each and seek to implement accordingly.Possible alternative mechanisms include:
- Standard Contractual Clauses (SCCs): the implementation of the SCCs is the most efficient of the options, but businesses intending to take this approach will need to consider the decision of the CJEU on their use – namely, that businesses using the SCCs should, where required, provide additional safeguards in order to ensure adequate protection of the personal data and data subject rights in the third country.We also see potential danger in the CJEU ruling for the continued viability of the SCCs for U.S. businesses.The extent of that risk may become apparent as the court proceedings in that matter continue in the Irish courts, but, for the moment, for many businesses, the SCCs may be the most attractive option.
- Binding Corporate Rules (BCRs):the BCRs require approval from certain data protection regulators, and this can take time, in some instances, up to a year. The BCRs are therefore not a “quick fix,” but, given the specific protections included within BCRs, they will likely emerge as a most solid and more readily used mechanism to legitimize data transfers within multinational corporations with European operations.
- Approved "Ad Hoc Clauses": Similar to the BCRs, as an alternative long-term measure, businesses may consider applying for approval of their own standard data protection clauses, but again, this can take time.
- Monitor Guidance and Legal Developments: Over the coming weeks, regulators across the EEA and the UK will release guidance on applying the CJEU’s decision, and businesses should be alert to any such guidance.We will continue to monitor and report on any of the guidance as it emerges.In addition, as noted, the CJEU decision now returns the matter to the Irish courts.It will be important to watch as that proceeding unfolds to see how those courts apply the CJEU’s guidance to the SCCs.
- Privacy Notices: Privacy notices should be reviewed and updated to the extent affected by the decision and to reflect the alternative means of transferring personal data implemented by the business.
For more information or guidance on how to react to the CJEU decision, please contact any of the following: