Privacy Shield Invalidated - Standard Clauses Upheld (with Additional Obligations)

I suspect many of you have heard that earlier this week the CJEU invalidated the Privacy Shield (i.e., one of the mechanisms that permit the flow of personal data from the EU to the US). The CJEU also reviewed the Standard Contractual Clauses and upheld them as a valid method to permit such transfers, but placed additional obligations on the exporter and importer to ensure equivalence with protections provided by EU data protection law. Yep, that's a lot to unpack. Fortunately, the good folks at Hogan Lovells have written an excellent blog piece on what happened, what it means, and what in-house lawyers should be doing in light of the decision. To read it, click here. From the blog, a list of "what to do now:"

• "Switch from Privacy Shield to alternative safeguards: Where only the Privacy Shield was used to legitimize the transfer, companies should take steps now to ensure coverage under another safeguard.
• Verify level of protection of international data flows: Once the relevant personal data flows are identified, companies should assess the safeguards they apply to data transfers, including a nuanced analysis of the local laws in the recipient country. In this respect, for data transfers to the US, it will be especially relevant to which extent the data recipient is subject to Section 702 FISA and E.O. 12333.
• Assist EU customers: Service providers with data processing operations in the US and elsewhere should consider how best they can facilitate the task placed on their European customers to verify the adequacy of the level of protection for their data.
• Look out for statements from DPAs: It is likely that European data protection authorities and the European Data Protection Board (EDPB) will publish statements on the legality of data transfers to certain countries on basis of SCCs, having a particular focus on data transfers into the US.
• Monitor activities on updated SCCs: Despite the fact that the CJEU declared SCCs to be valid, it is possible that the European Commission will issue a new set of updated SCCs in order to address the risks identified by the CJEU with regard to activities of law enforcement and intelligence agencies in the US."

All solid, practical advice. The bottom line is that the world of EU-US data transfers is going to get messy again. Last time this issue came up, the Obama administration moved swiftly to cooperate with EU officials to devise the Privacy Shield program. I am not so sure the current administration will look to be so cooperative (but hopefully so). Additionally, the COVID-19 pandemic is certainly distracting both governments, making data transfers a lower priority than in the past. Regardless, that is no excuse to remain idle, and smart in-house legal departments (assuming you are relying on either mechanism as the basis to transfer personal data) should be working hard to figure out how best to respond. That said, I continue to wonder how the EU permits wide-open personal data transfers to countries like China and Russia which likely have at least the same issues as the US if not more (yes, I am being understated here). Still, it would be smart if Congress got off its butt and passed a comprehensive data privacy law for the US. Between this CJEU decision and the myriad of state data privacy obligations, such a law is critically needed. See also my legal blog, "Ten Things You Need to Know as In-House Counsel," and my posts on GDPR and things to do before a data breach happens.