Until fairly recently, businesses that shared, stored, processed or otherwise possessed client data were covered by the terms of the Privacy Shield, a framework developed by the U.S. Department of Commerce in consultation with the European Commission and Swiss Government, and including industry and other stakeholders. The goal was (key word here is “was”) “to provide companies on both sides of the Atlantic with a valid legal mechanism to comply with data protection requirements when transferring personal data from the European Union (EU) and Switzerland to the United States in support of transatlantic commerce.” 

Until it was recently invalidated because the European Court decided it did not offer sufficient protection, the Privacy Shield program was administered by the U.S. Department of Commerce. It required participating entities to self-certify to the Department of Commerce and publicly commit to comply with the Privacy Shield Principles, including the Supplemental Principles requirements.  While joining Privacy Shield is voluntary, once an eligible company makes the public commitment to comply with the requirements, the commitment was intended to be enforceable under U.S. law.

However, last July, the Court of Justice of the European Union (the highest court in the EU) struck down Privacy Shield as invalid, leaving entities nothing short of baffled of how to best manage information belonging to entities or individuals personal data. However, while Privacy Shield has been invalidated, the court’s decision “does not relieve participants already committed to the EU-U.S. Privacy Shield of their obligations under the existing framework.”  Huh? The platform has been invalidated, but the terms still apply?  Yes.

The European Data Protection Board (EDPB) has adopted guidance (guidance is not the same as law—think back to the Pirate Code from “Pirates of the Caribbean,” one of my all time favorite reference points) to address some frequently asked questions, but the uncertainty continues.  Specifically, participants from the EU want the standards to be stricter than those that currently exist in the U.S. As a quick refresher, aside from some specific vertical areas of interest (think HIPAA, for example), there is no U.S. federal privacy law. California has enacted the first, and other states find themselves in various stages of implementation, but without an enforceable federal privacy standard, companies that do business in Europe find themselves in an uncomfortable and uncertain state of limbo and they try to keep from violating rules that are, at best, a moving target.

Very specifically and critically, the Securities and Exchange Commission has received filings from dozens of different businesses within the past year saying the ongoing confusion over the legality of U.S.-EU data transfer may have a negative impact on finances, operations and service offerings overseas.

In addition to business interests, both non-governmental entities and academic institutions that rely on access to data for research and policymaking are also feeling the pain. Two recent specific examples include one from last month when, in April, the Federation of European Academies of Medicine and the European Science Advisory Council reported that uncertainties around sharing health data outside the EU put essential research, including about vaccines, at risk, with thousands of collaborations with the U.S. already affected 

April was a big month for these issues to gain widespread attention. Portugal's National Data Protection Commission ordered its census bureau, Statistics Portugal, to suspend sending census data to the U.S. because the bureau was using Cloudflare, an American company. Additionally, U.S. email marketing company Mailchimp was implicated, also in April, when the Bavarian data protection authority ordered  a European magazine to stop using the service to distribute its newsletters.

Possibly of greatest import has been Microsoft’s decision (in May), as reported in Law360, that it would begin storing and processing EU cloud customer data in the EU, “citing its commitment to meeting EU data protection laws, including GDPR.” The ability to store and process data locally is something large companies can execute because they can bear the expense and inconvenience. However, for smaller companies, the likelihood that they will be forced to give up the business completely when faced with either the expense of European premises-based processes, or the risk of non-compliance with the terms of GDPR. 

On the good news front, Standard Contractual Clauses (SCC) may offer some risk mitigation. These clauses, which have recently been revised, have been designed to address different scenarios where sensitive data is transferred. In addition, according to the National Law Review, they address the “complexity of modern data-processing chains.

Standard Contractual Clauses (they are a “thing,” which is why the title is capitalized here) contain contractual obligations for both the sender and receiver of data. It’s important to note that users of such clauses must validate, on a case by case basis, that the clauses provide an adequate level of protection and security for the data being transferred. According to the International Association of Privacy Professionals,  there are two sets of SCCs: “one that deals with international transfers of EU personal data to processors, and another that deals with transfers to controllers.” All currently existing SCCs were issued under the 1995 Data Protection Directive, the predecessor of the EU General Data Protection Regulation. Most of these words are terms of art, so if you’re already vested in GDPR, you’ll be familiar with the terms “controllers” and “processors.” If not, it is time to study up.

The best advice going forward is that if data transfers between the U.S. and Europe are a concern, you need to remain vigilant on changes in policy and regulation. Change is a constant in this space.  Stay tuned.

See website for complete article licensing information.