EU Privacy Shield

EU Court of Justice Nixes the EU-U.S. Privacy Shield Framework

What is the EU – U.S. Privacy Shield?

The European Union (EU) enacted the General Data Protection Regulation (GDPR) in April 2016 and it went into effect in May 2018. The GDPR protects and covers European Economic Area (EEA) member state citizen personal data. The GDPR largely regulates the transfer of personal data to third countries. One method of effectuating a compliant transfer was the EU-U.S. Privacy Shield (Privacy Shield). The Privacy Shield permitted countries with less stringent data protection laws than the European Union (EU), such as the United States, to create a safe harbor within its “inadequate” law. On July 16, 2020, the EU Court of Justice (ECJ) declared the Privacy Shield invalid. The ECJ maintained that the Privacy Shield was not “essentially equivalent” to EEA-member state data transfer mechanisms.

Why does the Privacy Shield matter to U.S. companies?

  • Personal data is everywhere – If you are a U.S. company engaged in commerce, there is a very good chance that day-to-day transfers of consumer personal data is somehow implicated. Any personal data on an EU citizen—regardless of where they live—is subject to these laws.
  • Vendor and contractor policy – You may not readily receive and process the personal data of EEA-member state citizens, but chances are your vendors or contractors do. What is more—one of your vendors or contractors may have been relying on the now invalidated Privacy Shield framework to comply with the handling of consumer data. Additionally, they may ask you to comply with their policy.
  • Compliance still necessary – Trans-Atlantic business must go on. Companies that control and process data need to hardwire data privacy and protection measures into virtually every business process they implement under the GDPR. Moreover, the DOC’s International Trade Administration (ITA), the agency tasked with administration of the Privacy Shield framework, maintains the ECJ’s opinion does not discharge participants of their responsibility to comply with the Privacy Shield’s mandates.
  • State requirements – Even if you are certain that your data flows are not transnational in nature, states, such as California with its Consumer Privacy Act, have implemented measures giving consumers rights to their personal data, such disclosure, deletion, or the ability to opt out of third-party data sharing. These laws are very similar to EU laws.
  • Penalties – The penalties associated with non-compliance with the GDPR carry a steep penalty of up to 20 million euros ($23.6 million) or 4% of your company’s annual global revenue, whichever is higher.

How to ensure my data transfer and privacy policies are up to date?

Companies that process and control data—virtually every consumer facing business—must have the ability to readily identify a consumer’s personal data, as well as alert consumers of their rights in the data. What is more, a transnational company controlling and processing personal data must: possess the legal right to process the data, notify the data subject of what other entities hold their data, and “forget” personal data under GDPR. Make sure your compliance with data privacy laws is up to date.