The European Court of Justice has declared the "Privacy Shield" data protection agreement between the EU and the USA to be invalid (ECJ ruling of 16.07.2020, C-311/18). This has far-reaching consequences for transatlantic business transactions.
Already in 2015, the ECJ had overturned the Safe Harbor regulation, the predecessor of the Privacy Shield Agreement.
The Privacy Shield was intended to guarantee the level of protection of the European General Data Protection Regulation (GDPR) when personal data is transferred from the EU to the USA. US companies therefore had to be certified as recipients of protected data.
This is now to be examined:
1.
Which data processing operations take place in the USA and whether these have been legitimized to date on the basis of your US business partner's Privacy Shield certification.
2.
These business partners should be contacted in order to clarify which legal alternatives can be considered in order to continue processing data in the USA. These are, for example
a) so-called standard contract clauses:
These are model contracts provided by the EU. We would be happy to advise you on the selection of the appropriate contract and the further procedure.
b) so-called Binding Corporate Rules:
These are binding corporate guidelines to ensure a level of protection for data transmission that complies with the GDPR.
It should be noted, however, that this is a lengthy process and requires the approval of the competent data protection supervisory authority.
c) Relocation of data processing to the EU or another safe third country
As a last resort, therefore, consideration should be given to moving the processing of data to the EU or to another safe third country (such as Japan, Israel, Switzerland, Argentina, Canada, New Zealand or Uruguay) in order to effectively resolve the problem.
3.
After the procedures have been adapted, the data protection declarations must be adapted accordingly, insofar as these inform that data processing is taking place in the USA with a business partner certified by the Privacy Shield. The new legal basis for the transfer of data must then be stated there.
The same applies to your internal procedural documentation and concluded contract processing agreements, e.g. hosting, software as a service, etc., if a US contract processor or US subcontractor has been engaged.
Since the decision of the European Court of Justice has considerable EU-wide implications, it can be assumed that the data protection supervisory authorities will initially grant the companies concerned a transitional period to adjust their processes before regulatory measures threaten. This was also the case after the decision on the invalidity of the Safe Harbor Agreement.
However, it remains to be seen whether this postponement will also apply to competition law warnings by competitors or other associations. Therefore, a prompt solution should be found.
Our competence team "Business and Economy" will be pleased to advise you on this matter.
Your contact person:
Tim Schwarzburg - Lawyer
Specialist lawyer for labor law
Specialist lawyer for commercial and corporate law