EU-US Privacy Shield Struck Down
This past July, the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield regime that the United States had negotiated with the EU to provide a mechanism for validity transferring personal data from the European Union to the United States.
The Privacy Shield was a certification program run by the Department of Commerce after the CJEU had invalidated the previous Safe Harbor program meant to satisfy EU data privacy obligations.
The European Commission maintains Standard Contractual Clauses that can be used by a data exporter with importers to satisfy its obligations under current EU data privacy laws, in particular GDPR. The opinion did clarify though that these clauses cannot be relied upon without additional due diligence by the exporter, rather verification must be done on " a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses."
If you have been relying on the Privacy Shield or were planning to do so, now would be a good time to check with counsel about what steps are available to ensure compliance with EU laws, including GDPR and whether additional measures beyond the Standard Contractual Clauses are enough to meet those obligations.
This article is for informational purposes only and does not constitute legal advice. This article does not create any attorney-client relationship between Gundersen & Gundersen LLP and the recipient. Any testimonial or endorsement in this document does not constitute a guarantee, warranty, or prediction regarding the outcome of your legal matter. Previous results do not guarantee a similar outcome.