The Court of Justice of the European Union issued its decision in “Schrems II” that invalidated the EU-U.S. Privacy Shield arrangement.
“Privacy Shield had served as an approved “adequacy” mechanism to protect cross-border transfers of personal data from the European Union to the United States under the EU General Data Protection Regulation. More than 5,000 organizations participate in Privacy Shield. Many thousands more EU companies rely on Privacy Shield when transferring data to these organizations. “
For U.S. organizations participating in Privacy Shield, next steps can include the following.
- Understand what personal data is covered: The first step is to understand what personal data transfers have been covered under the organization’s self-certification to Privacy Shield.
- The organization should develop a plan for how it will address each big picture category of data transfer under Privacy Shield.
- Where the organization participates in Privacy Shield as a controller, implementation of the SCCs for such controller to controller data transfers can help strengthen the position that the transfers are permissible.
- Evaluate whether derogations or other legal justifications can help. Depending on the context, some organizations may be able to adopt other strategies.
- Even though the legal value of Privacy Shield participation has been invalidated from a GDPR perspective, the U.S. obligations to adhere to Privacy Shield promises still apply.
- The interpretation and application of “Schrems II” is rapidly changing and developing, stay closely aligned with these developments and adjust their plans accordingly.
What Privacy Shield organizations should do in the wake of ‘Schrems II’ by Brian Hengesbaugh on IAPP
Max Schrems: the man who took on Facebook – and won by Hannah Kuchler in FT.com
The end of Privacy Shield: Why it matters and what businesses can do about it by Mark Kahn on VentureBeat