Until very recently, companies doing business with European member states were able to import EU residents’ data into the US under the EU-U.S. Privacy Shield. This agreement between the EU and the US allowed companies to self-certify that they had sufficient security controls in place to ensure the security and privacy of EU residents’ data. Several thousand companies, including a significant number of Small and Medium Businesses (SMBs), opted to take this route to allow them to consolidate sales and other data into centralized databases and data pools within the US.
However, on July 17, 2020, the EU Court of Justice nullified the EU-U.S. Privacy Shield Act. This revocation was based on several points:
- U.S. companies could not prevent the U.S. Government from obtaining corporate data for use by the intelligence community, often taking information in excess of what was permitted under General Data Protection Regulation (GDPR);
- The self-certification process could not ensure that companies were in fact providing security and privacy in accordance with GDPR requirements; and
- No mechanism exists to allow the EU to ensure such requirements are contractually bound in accordance with EU laws.
In its ruling, the Court left the Standard Contractual Clauses option in place, which may be used to establish formal agreements between companies and the EU regarding the safeguards in place to ensure EU residents’ privacy. However, it encouraged data protection authorities to ensure the enforcement of those clauses and, in the absence of an ability to enforce them, declare them null and void.
The use of Standard Contractual Clauses (SCCs) present a challenge for many companies in the US, since they were written almost entirely from the EU perspective, and require that companies ensure adherence to a set of security and privacy guidelines that may interfere with US government information requests. As a result, US companies have limited options when it comes to importing EU data into the US. Standard Contractual Clauses (the EU has two that may be used) and offer little room for negotiation. SCCs must be approved by data protection authorities or an EU court in the country from which the data is to be exported. As a result, SCCs can present problems for US companies seeking to import EU resident data.
Binding Corporate Rules (BCR) offer another means to allow the importation of data from the EU. However, they are equally rigid and must also be approved by the data protection authorities in the country from which data is to be transferred. If data from more than one country will be transferred, data protection authorities from each country must be involved in the approval process.
In the meantime, the German data protection authority has issued a ruling which states:
- The transfer of personal data to the US on the basis of Privacy Shield is not permitted and must be discontinued immediately.
- For a transfer of personal data to the US and other third countries, the existing standard contractual clauses of the European Commission basically continue to be used. However, the third country must not interfere with these additional safeguards in a way that impairs their actual effect.
- The judgments are also based on other guarantees under Article 46 GDPR Application like binding internal data protection regulations (BCR) on the basis of which a transfer of personal data to the USA and other third countries. Therefore, also for data transfers on the basis of BCR, supplementary measures are agreed, provided the rights of data subjects in the third country do not have the same level of protection as those in the Union enjoy.
In any case, US companies can expect that the EU data protection authorities will expect them to adhere closely, if not precisely, with GDPR requirements. Under these circumstances, attainment of GDPR compliance may be a US company’s best route to ensuring uninterrupted data flow. While the US Commerce Department has already begun negotiations with the EU for a replacement, it is not expected to be ready for several months, if ever. Given the current political tensions between the EU and the US, any interim agreement is likely to be protected, and may in fact not occur at all. The EU is taking its privacy requirements seriously, and companies who expect to continue to do business the EU should anticipate and plan for becoming GDPR compliant as a result.
GDT Advisory Services can provide companies with assistance in assessing their GDPR readiness through our EU-GDPR Readiness Assessment program and can provide guidance on preparing for and becoming GDPR compliant. In addition, our Compliance-as-a-Service program can provide your company with GDPR certified personnel to assist you on a part time or as needed basis with continued GDPR compliance, to help ensure you maintain your compliance with the Regulation on an ongoing basis. If you would like more information about GDPR readiness and compliance, contact me at paul.kendall@gdt.com. I’d love to hear from you.