Recent Developments in EU/US Cross-Border Data Transfers
Late last year we provided an update on DiscoverReady’s certification under the EU-U.S. Privacy Shield agreement, and shared some information on legal challenges to that cross-border data transfer framework. Now we have two more developments to report on regarding the legal landscape for transferring personal data from the EU to the U.S.
First, the European Commission recently completed its first annual review of the Privacy Shield framework, and found that the pact “continues to ensure an adequate level of protection for the personal data transferred from the EU to participating companies in the U.S.” However, although Privacy Shield passed its first test, European Justice Commissioner Věra Jourová noted that “there is some room for improving its implementation.” Specifically, in its report the Commission —
- Suggested that the Department of Commerce conduct compliance checks of companies certified under Privacy Shield, as well as searches for false claims of Privacy Shield certification, proactively and “on a regular basis.”
- Encouraged the Department of Commerce to continue and strengthen the awareness-raising efforts around Privacy Shield.
- Urged the Trump administration to fill the Privacy Shield Ombudsman position in the State Department on a permanent basis “as soon as possible,” rather than continuing to rely on the interim, acting appointment.
- Called on the U.S. Congress to strengthen privacy protections in Section 702 of FISA (the Foreign Intelligence Surveillance Act) when it considers re-authorization of that regulation later this year, by enshrining the provisions of Presidential Policy Directive (PPD)-28 that limit certain bulk collections of personal data.
Companies relying on Privacy Shield to effectuate transfers of data from the EU to the U.S. should take some comfort in the findings of the Commission, and be assured that—at least for the short term—Privacy Shield will remain a valid mechanism for those data transfers.
However, in contrast to the good news for Privacy Shield, another recent development casts uncertainty on transatlantic data transfers using a different mechanism: Standard Contractual Clauses. Sanctioned by the EC, Standard Contractual Clauses are widely used by companies to transfer data from the EU to the U.S. and other “non-adequate” countries. Earlier this month, Ireland’s High Court issued a decision in a case brought by Max Schrems, the privacy advocate who successfully challenged the former Safe Harbor data transfer framework. In this case, Schrems filed a complaint with the Irish Data Protection Authority concerning Facebook’s use of Standard Contractual Clauses, alleging that this mechanism suffers from similar flaws as the now-defunct Safe Harbor. In a lengthy decision the Irish court referred the dispute to the Court of Justice for the European Union—the EU’s highest court—for a ruling on the mechanism’s validity.
It will take at least a year for the Court of Justice to reach a decision, and companies may continue to use Standard Contractual Clauses in the interim. Further, the implementation of the GDPR in May of 2018, which will require heightened privacy protections for EU personal data around the world, may complicate the court’s factual analysis of the adequacy of Standard Contractual Clauses. But in the meantime, the shifting landscape for cross-border transfers of data from the EU to the U.S. creates anxiety for many multinational companies, which rely on these data transfers as an essential function of doing business.