Life After the Privacy Shield: Standard Contractual Clauses Get Tougher Requirements
Despite the Court of Justice of the European Union invalidating the Privacy Shield, EU to U.S. data transfers aren't dead. But stiffer data collection and security protocols, and government intervention, will now be needed.
July 17, 2020 at 03:12 PM
4 minute read
On July 16, the Court of Justice of the European Union invalidated the Privacy Shield, a program leveraged by companies to transfer European citizens' personal data to the United States, due to a lack of remedies against potentially unrestricted U.S. government access.
Lawyers say the decision forces companies to rely on or redraft data transfers contracts, and abide by a new level of data review that may require technical safeguards, or bypass transferring EU data to the U.S. altogether.
"More than 5,300 U.S. companies who were Privacy Shield participants, at a time when the economy is on its knees in the middle of a pandemic, those companies are going to have significant interruption to their business by being unable to rely on their Privacy Shield certification," said Loeb & Loeb privacy, security and data innovations co-chairman Ieuan Jolly.
Still, trans-Atlantic data flow isn't dead. After all, companies still have various alternative data transfer mechanisms. The General Data Protection Regulation provides exemptions for one, annual transfer of data, noted Francoise Gilbert, a lawyer and founder of corporate data privacy and security consultancy DataMinding Inc.
Companies transferring data more than once a year can also draft standard contractual clauses, which the CJEU ruled is still valid.
"Standard contractual clauses, as they're now, are deemed to comply and meet the EU requirements," Gilbert said.
But she added that "there is a second component that is new which is a requirement from the data importer and data exporter to go further than that and make sure whatever is happening in their particular type of transfer and data [has] no additional risk."
Indeed, the CJEU made it clear that adding new standard contractual clauses requires a more in-depth assessment of their data collection and transfer process, Jolly added.
Specifically, companies must evaluate the sensitivity and volume of data transfers, he explained. "The sensitivity and use case combined with the volume will impact if there's a higher level of [likely] surveillance by U.S. governmental agencies. But more fundamentally, when you're looking at standard contractual clauses, to legitimize data transfers you will have to assess what type of additional safeguards beyond the standard contractual clauses will be required and what will be reasonable."
Covington & Burling of counsel Kristof Van Quathem, who represented the Software Alliance in the recent CJEU matter, said companies are exploring encryption and other technical safeguards for EU data transferred to the U.S. He added that more organizations are also considering prohibiting data transfers to the U.S. entirely.
But encryption and notification safeguards can't match all the privacy rights granted to EU citizens, Jolly noted.
"The back-end issues are much harder to solve," Jolly said. "The lack of judicial review is a much bigger issue because a fundamental defect with U.S. law is that it's a constitutional requirement that no one can bring a lawsuit unless they can show they have suffered damages. In an environment of national security surveillance collection, where very few people, if anyone, is told they are the subject of a surveillance, no one can come to court to say they have been hurt from the collection of their data."
To be sure, the European Union and U.S. government have already signaled they will work together to continue data transfers. Indeed, while "deeply disappointed" in the CJEU decision, U.S. Commerce Secretary Wilbur Ross noted the U.S. would continue to collaborate with the European Commission and European Data Protection Board to limit adverse repercussions. The European Commission also said it would "reflect on operative ways to strengthen our [EU to U.S.] data transfers," according to Reuters.
However, lawyers didn't think Europe's latest decision will propel the U.S. to adopt a national data privacy law.
Los Angeles-based Jeffer Mangels Butler & Mitchell partner Bob Braun noted that while debates and the enactment of state-level laws regarding data surveillance in the private and public sector are growing, "as a general matter, the U.S. seems less concerned about government access."
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Legal Advocates in Uproar Upon Release of Footage Showing CO's Beat Black Inmate Before His Death
- 2Longtime Baker & Hostetler Partner, Former White House Counsel David Rivkin Dies at 68
- 3Court System Seeks Public Comment on E-Filing for Annual Report
- 4Foreign-Company Lobbyists Would Need to Register Under Proposed DOJ Regulation
- 5'Fancy Dress': ERISA Claim Accuses Plan Administrator and Cigna Affiliates of Co-Pay Maximizer Scheme
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250