Following the decision of the European Court of Justice invalidating the Privacy Shield (an agreement that provides adequate protection for data transferred to the United States), what solutions are available to companies transferring personal data to the United States?
The conclusions of the judgment
It is important today to recall some of the consequences that will impact businesses in the near future:
- The judgment does not prohibit the transfer of personal data from the EU to the US.
- It does not invalidate the standard contractual clauses (SCCs) adopted by the European Commission.
- It recalls that the use of SCCs does not automatically make the transfer of personal data to the US lawful, but that a case-by-case assessment of the protection measures taken by US companies is required in the absence of an adequacy decision.
What are the practical consequences for companies?
This decision is therefore not without consequences for both US and European companies. In practice, before transferring personal data to the United States, European companies will have to rely on a mechanism other than Privacy Shield (there is obviously no question of continuing to transfer data without an adequate protection mechanism, without the risk of being sanctioned by the national data protection authority).
This implies in particular :
- Reassessing all contracts between the company and its US partners and listing transfers based on the Privacy Shield.
- Renegotiate these contracts through another mechanism to protect the transferred data.
- If SCCs are chosen to legitimise a transfer, they do not provide de facto legitimacy: European companies will have to ensure that the US partner provides all the necessary guarantees for adequate protection, which are listed in particular in recital 108 of the GDPR.
The Court encourages data controllers to implement for their transfers to the United States any guarantees additional to those offered by the SCCs.
Conclusion
The decision of the CJEU is a further step to build at a global scale the protection of personal data according to the rules of the GDPR. However, in practice, it leads to legal uncertainty. European companies will have to ensure and declare in good faith that their American partners will protect the transferred data from interference by local surveillance. A delicate feat to say the least. In any case, a review of all contracts providing for the transfer of personal data to the US is to be expected!