« Cyber Criminals Work From Home Too | Main | Cyber Coverage Considerations »

July 16, 2020

U.S. Companies Lose Benefit of Popular EU-US Privacy Shield Program

Craig.Carpenter_linkedin

Posted by Craig Carpenter

On July 16, 2020, Europe’s top court invalidated the EU-US Privacy Shield program, finding that it did not provide an “essential equivalence” with European data privacy laws (GDPR).

The EU-US Privacy Shield program was a popular way for U.S. companies to comply with the restrictions on cross-border data transfers set forth in GDPR (Article 44). Since the U.S. does not have an adequacy decision under European privacy laws, the Privacy Shield Program was the most efficient way for many U.S.-based companies to lawfully move data to the U.S. from Europe under GDPR.

This decision largely centered on European concerns for U.S. surveillance programs and the ability for private data to end up with public authorities. The Court found that “the requirements of US national security, public interest and law enforcement have primacy [over individual data rights], thus condoning interference with the fundamental rights of persons whose data are transferred to that third country.”[1]

The Court also called in to question the efficacy of the “standard data protection clauses” as a means of cross-border data transfer, particularly in countries like the Unites States where public authorities have significant data access. The court stopped short of invalidating the standard clauses as a lawful means of transfer altogether, but the court emphasized the need to consider the practices of the countries in which the standard clauses are used, seemingly inferring that they might not be appropriate in places like the United States.

We do not yet know the U.S. response to this decision; however, without Privacy Shield, U.S. companies will have to rely on a different means of lawful data transfer. Examples include Standard Contractual Clauses discussed in Article 46 (subject to the comments above), Binding Corporate Rules (Articles 46 and 47), explicit consent (Article 49), necessity for performance of a contract (Article 49), exercise or defense of legal claims (Article 49), or the other “derogations for specific situations” identified in Article 49 of GDPR.

 

[1] CJEU Press Release, available at https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091en.pdf (July 16, 2020).

Posted at 11:08 AM |

Comments

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name and email address are required. Email address will not be displayed with the comment.)

Authors

  • The T&K CyberSecurity Blog is authored by lawyers in the Data Privacy and CyberSecurity Practice Group at Thompson & Knight LLP.

Enter your email address:

Delivered by FeedBurner

Disclaimer

  • This blog is for information purposes only. It is not intended to provide legal advice.

Search

Categories

Archives

Websites of Interest

Other Blogs of Interest