Ability of United States Companies to Receive Data From European Union Threatened by Recent Court Decision
American businesses already burdened by the data privacy and notice requirements of Europe’s strict GDPR regime face a whole new challenge when it comes to data transfers from companies in the European Union.
On July 16, 2020, the Court of Justice for The European Union [CJEU] issued a ruling invalidating the European Commission’s adequacy determination for the EU-U.S. Privacy Shield Framework. The decision in Data Protection Commission v. Facebook Ireland, Schrems (referred to as “Schrems II”) held that domestic U.S. laws do not comply with EU data protection rules insofar as they fail to provide adequate protections against government access to private-sector data.
The decision does not mean that Transatlantic data exchanges will come to a screeching halt. The court reaffirmed the validity of Standard Contractual Clauses (SCCs) that offer appropriate data protection safeguards for data to be transferred internationally. Unfortunately, the CJEU did not provide any guidance on what it deems necessary or even sufficient safeguards for data protection. The decision does mean that American companies may need to provide further assurances and safeguards beyond what SSCs that are currently in place to ensure that the European companies they do business with will not need to suspend data transfers to comply with EU law.
Depending on the nature of the data and the applicability of laws involving government surveillance and disclosure, partners on both sides of the Atlantic will need to carefully consider, on a case-by-case basis, whether the safeguards for a given data transfer are sufficient.
If you have questions about the Schrems II decision, GDPR compliance, or data privacy and security in general, please contact John Ambrogi or Colin T.J. O’Brien, Co-Chairs of Latimer LeVay Fyock’s Intellectual Property Group.