After Schrems II: Contracts No Longer Enough For International Data Transfer

Companies relying on the EU–U.S. Privacy Shield for data transfers should swiftly implement appropriate safeguards and mechanisms to avoid the risk of having data flows suspended, as the potential costs far exceed any possible, and possibly contemporaneous, fines.

Summary: On 16 July 2020, the Court of Justice of the European Union (CJEU):

• Declared the EU–U.S. Privacy Shield enabling trans-Atlantic data flows invalid;
• Ruled that organisations may no longer rely on EU Commission approved standard contractual clauses alone. Rather, they must now use additional appropriate safeguards for the lawful transfer of personal data to any country not having an EU Commission adequacy decision. This captures nearly every non-EU country in the world, including the US.

The lawfulness of your international data flows, in particular between the EU and the US, now requires immediate attention.

The Issue: Modern data protection laws, like the EU General Data Protection Regulation, implicitly acknowledge the proliferation of powerful technical tools performing analysis on massive stores of personal data. They also recognise the inability of contracts by themselves to protect individual privacy rights. When confronted with these type of technologies, laws must balance them against the rights of data subjects while not stopping innovation

Contracts and policies can provide clarity as to particular actions that involve wrongdoing or inappropriate use of data. However, by themselves, they are “too little, too late” if data subjects suffer identity theft, loss of credit, denial of time-sensitive services, discrimination, etc. In circumstances where data subjects suffer these harms, there is no adequate remedy by contract/policy alone. Contract-based mechanisms and policies need complementary tools, like appropriate technical safeguards for data, to be effective.

The CJEU ruled that to enable lawful international data transfer and processing, appropriate safeguards must be used to supplement contractual provisions to ensure data protection.

Looking Ahead: Data Protection Authorities will be reviewing exports of personal data beyond the European Union/European Economic Area ("EU/EEA").

Since no grace period was announced for compliance with the CJEU decision, companies relying on the EU–U.S. Privacy Shield for data transfers should swiftly implement appropriate safeguards and mechanisms to avoid the risk of having data flows suspended, as the potential costs far exceed any possible, and possibly contemporaneous, fines.

For more information, please read After Schrems II: Contracts No Longer Enough For Data Transfer, by Magali Feys, Chief Strategist of Ethical Data Use at Anonos and founder of AContrario Law, a boutique law firm specializing in IP, IT, Data Protection and Cybersecurity. On numerous occasions, Magali has assisted the Belgian Ministry of Public Health in privacy related matters. In addition, she is also a member of the legal working party e-Health of the Belgian Minister for Public Healthcare.

This article originally appeared in LinkedIn.  All trademarks are the property of their respective owners. All rights reserved by the respective owners.