Privacy Shield Invalidated as GDPR Data Transfer Compliance Mechanism
On July 16, 2020, the European Court of Justice (“ECJ”) ruled to invalidate the Privacy Shield, the legal mechanism created to enable the transfer of personal data between the European Union (“EU”) and the United States while continuing to comply with the EU’s General Data Protection Regulation (“GDPR”). The GDPR affects any business operating within the EU, as well as any organization offering goods or services to customers or businesses in the EU. The result is that every major business in the world needs to be GDPR compliant. Consequently, the invalidation of the Privacy Shield cannot go unnoticed by U.S. companies in the defense industrial base (“DIB”). An action as simple as a U.S. employee remotely accessing data maintained in the EU may be considered a data transfer to the U.S. American defense contractors should be aware of inadvertent GDPR exposure when acting as a supplier or subcontractor to EU companies or affiliates.
The goal of the Privacy Shield was to ensure that personal data transferred to the U.S. from the EU would receive equal protection on both sides of the Atlantic Ocean. The ECJ invalidated the Privacy Shield arguing that it no longer satisfied EU citizens GDPR rights against U.S. government surveillance.
The impetus for the ECJs decision may have been Executive Order 13767 signed in January 2017. Although this order was primary focused on immigration, section 14 excluded non-U.S. citizens or lawful permanent residents from protections of the Privacy Act regarding personally identifiable information.
Although the Privacy Shield has now been invalidated, it is likely that a new framework will be established. In 2015, the ECJ invalidated Safe Harbor – which at the time was the primary mechanism for transferring data between the EU and the U.S. By February 2016, the Privacy Shield framework had been established.
In the meantime, the only practical mechanism for transferring data between the EU and U.S. is to use Standard Contractual Clauses (“SCCs”) – which continue to be a GDPR compliant method to transfer data. This method is often more unwieldy for business than the Privacy Shield because data transfers based on SCCs must be implemented on an individual case-by-case basis.
Another option for transferring data between the EU and U.S. while remaining GDPR compliant is through Binding Corporate Rules (“BCRs”). However, BCRs usually require a very high level of compliance maturity. This includes a broad array of policies, procedures, audits, controls, compliance handling, and training programs. The result is that BCRs are more analogous to a general compliance program than solely a data transfer mechanism. BCRs tend to require more time and resources than SCCs.
The U.S Department of Commerce has announced that the Privacy Shield Program will continue to be administered for the time being. This means that companies can continue to certify to the Privacy Shield Framework. The most important thing for companies to realize is that adhering to the Privacy Shield framework is no longer a valid way to comply with GDPR data transfer requirements. Although this decision creates uncertainty, SCCs remain a valid mechanism to transfer data between the EU and U.S.
If history is a guide, a new framework replacing the Privacy Shield may be forthcoming. American defense contractors participating in the international supply chain should stay apprised to developments regarding a Privacy Shield replacement and review GDRP compliance strategies.