Article contributed by James M. Smedley, Ellenoff Grossman & Schole LLP
On July 16, 2020, the EU Court of Justice (CJEU) ruled that protections provided by the EU-US Privacy Shield were invalid and that US law cannot adequately ensure protection of personal data of those in the European Economic Area (EEA). Prior to this decision, the EU-US Privacy Shield was likely the most commonly used mechanism for US companies to lawfully receive, process, store and transfer personal information of people in the EEA. The ruling was largely based on the finding that the US government does not limit surveillance of foreigners to that which is strictly necessary, and that US laws lack appropriate remedies for those in the EEA.
If your company was relying on the EU-US Privacy Shield to ensure compliance with the EU’s General Data Protection Regulation (GDPR) regime, or did not think GDPR applied to your company, it’s time to take a look at your options to ensure compliance. If your company receives personal data, such as the name, phone number or email address from a citizen of the EEA, then you likely need to consider how to comply with GDPR, as the penalties are extremely severe for violating it. That includes supporting organizations, like Fishbowl’s marketing services, or Olo’s ordering and delivering services.
Luckily, even without the EU-US Privacy Shield, there are still options recognized by GDPR for companies that process personal data in the US of individuals from the EEA These options include the use of standard contractual clauses (SCCs) and binding corporate rules (BCRs). SSCs are clauses in agreements related to data transfer or processing aimed at protecting personal data in accordance with GDPR. BCRs are rules adopted by companies related to similar data transfer and processing guidelines under GDPR. In instances where you do not have individualized agreements directly with the organization providing your company information about those from the EEA, such as a reservation service like OpenTable, relying on BCRs may make more sense.
It is important to note that the EU Commission is currently in the process of updating the approved SCCs. So if your company is relying on SCCs, you may need to ultimately amend your company’s agreements when the new SSCs are issued.
Additionally, the US has been moving toward compliance with the EU-US Privacy Shield framework, with officials from both the US and EU stating that, “[t]he U.S. Department of Commerce and the European Commission have initiated discussions to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework to comply with the July 16 judgment of the Court of Justice of the European Union in the Schrems II case.” In the Interim, The U.S. Secretary of Commerce noted that, “The Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List.”
Given the statements from the relevant US agencies, companies currently certified under the EU-US Privacy Shield framework should consider continued compliance in order to avoid any issues with the statements made to those agencies. As the Chairman of the FTC stated, “[W]e will continue to hold companies accountable for their privacy commitments, including promises made under the Privacy Shield.” So if your company previously did a self-certification or re-certification, it is important to continue to comply with your submissions, as the US is potentially still enforcing those certifications, even when the EU-US Privacy Shield is effectively dead.
Also, despite the US Department of Commerce’s commitment to the program, the European Data Protection Board (EDPB) has noted that there is no grace period for those operating solely under the EU-US Privacy Shield regime. Therefore, it is imperative that companies transferring and/or processing personal data of EEA residents immediately move to implement other safeguards to ensure that they are in compliance with the rules under GDPR.
Even if your company is not certified under the EU-US Privacy Shield, if your company is transferring, receiving or processing the personal data of residents of the EEA, your company should incorporate the appropriate protections, such as SSCs and/or BCRs, in order to be in compliance with GDPR. There are some exceptions that companies can rely on, called “derogations for specific situations.” These are neatly detailed in the European Data Protection Board’s, “Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679.” However, it is imperative to ensure that an appropriate derogation applies, or otherwise ensure that the necessary SCCs or BCRs are in place in order to avoid liability under GDPR.
If your company receives, transfers or processes personal data from the EEA, it is imperative that you confirm your company’s continued compliance with GDPR, particularly if you were previously relying on the EU-US Privacy Shield to ensure compliance. There is currently no safe harbor or grace period to comply after the July 16, 2020 ruling that invalidated the EU-US Privacy Shield protections. Therefore, either ensure that one of the derogations applies to your company’s situation, or enact appropriate SCCs or BCRs to provide compliance with GDPR.
James M. Smedley is a member at Ellenoff Grossman & Schole LLP in and serves as head of the firm’s Intellectual Property and Technology law group. Mr. Smedley’s practice has focused on strategic counseling of companies with respect to protecting and enforcing their intellectual property rights, both domestically and internationally. Representative matters include trademark and patent prosecution, brand protection and enforcement, intellectual property licensing, anti-counterfeiting counseling and privacy/cybersecurity counseling. James Smedley can be reached via email at firstname.lastname@example.org or by phone at 212-370-1300