On July 16, 2020, the Court of Justice of the European Union (CJEU) declared that the EU-US Privacy Shield Framework (“Privacy Shield”) was invalid in that it violated fundamental principles of EU law, including General Data Protection Regulation (GDPR). Thousands of US companies registered with Privacy Shield relied upon it to send personal data of European Union residents to the US for regular business uses in a relatively seamless way. While it appears that EU supervisory authorities will allow at least some time for US companies to replace the data protection safeguards provided by Privacy Shield, if your US entities or US business partners were registered with Privacy Shield, revisions of agreements and protocols will be required in a short timeframe.
To read the opinion of the CJEU in its entirety, click here. In the many pages of text, the takeaways of most immediate concern are as follows:
If you were registered with Privacy Shield, we recommend that you review the Standard Contractual Clauses that will be required in place of Privacy Shield representations to determine whether you are meeting the requirements of the Clauses and have documented how you meet them. The standards of the Clauses are not identical to the former Privacy Shield Principles to which you agreed when you registered with Privacy Shield. We also recommend that you undertake an inventory of service agreements and other contracts in which third parties process personal data of EU residents to determine whether the data protection representations of those third parties were based on Privacy Shield registration. Those agreements will require revision as soon as practicable.
A business imperative for conducting these reviews and revisions now is that the European Union is getting back to a pre-COVID-19 business status more quickly than the US and as a result consumers in the European Union, as reported in The New York Times on July 15, 2020, may provide a more robust market than those in the US, at least for the next several months.
Those consumers demand adherence to data protection principles, and a 2019 data privacy benchmark study by Cisco, “Maximizing the Value of Your Data Privacy Investments,” has indicated that organizations that adhere to GDPR principles have a shorter sales cycle.
If you have questions regarding how to ascertain your organization’s or client’s capability to meet the Contractual Clause requirements or require assistance in reviewing and revising your service agreements and other contracts in the wake of the CJEU decision, please contact Kenneth N. Rashbaum.