On July 16, the Court of Justice of the European Union (CJEU) determined that a key data sharing agreement between the EU and the U.S. was invalid. Per the court, the Privacy Shield agreement, in which signatory U.S. companies would be allowed to transfer EU resident personal data to the U.S., was deemed insufficient in protecting the data privacy of EU residents from U.S. surveillance, and hence no longer valid. According to the ruling, the use of standard contractual clauses (SCCs) will remain a valid mechanism to legitimize the transfer of EU/ European Economic Area (EEA) resident personal information to the U.S., though supervisory authorities maintain the authority to review the validity of the SCCs on a case by case basis.
The rationale behind the EU court decision involves the U.S.’s lack of an overarching federal data privacy regulation that could provide protection on par with the EU General Data Protection Regulation (GDPR). Further, EU members have no meaningful means to complain about or demand recourse for data usage by U.S. firms. The decision is on par with a similar 2016 ruling which struck down the EU-U.S. Safety Harbor agreement.
The ruling will have a significant effect on over 5,000 companies who have signed onto the Privacy Shield agreement, including major firms like Facebook and Google. Current SCCs for companies will continue to be in effect pending further evaluation.
The U.S. Secretary of Commerce has expressed disappointment with the ruling and has indicated that the Department of Commerce will be exploring its future implications.
The CJEU ruling striking down the Privacy Shield data sharing agreement can indeed be a significant blow to firms doing business with EU customers. Firms that rely on the Privacy Shield to move data from the EU to the U.S. will have to implement a different mechanism to do this. In many cases this will lead to firms implementing EU standard contractual clauses.
Although many small to mid-size Private Equity (PE) and investment firms do not rely on Privacy Shield, PE firms will need to review the status of their portfolio company's transfer mechanisms and ensure that they have appropriate mechanisms in place.
The EU Commission is currently evaluating alternative mechanisms to legitimize transfers of personal data outside the EU/EEA. In the meantime, firms are advised to implement alternative data transfer mechanisms, and to monitor for further guidance from the EU Commission.
How We Help
ACA Aponix offers the following services related to the GDPR and other data privacy regulations:
- GDPR gap analysis
- GDPR awareness training
- Cybersecurity and technology risk assessments
- Policies, procedures and governance
- Mock regulatory cyber exams
- Threat intelligence