Under EU law, you may only transfer personal data to the United States if appropriate safeguards are in place, and on the condition that enforceable data subject rights and effective legal remedies for EU data subjects are available. To do this, you must first implement a transfer mechanism permissible under EU law.
Transfer mechanisms include the use of Standard Contractual Clauses (“SCCs”) or Binding Corporate Rules (“BCRs”) to govern data transfers outside of the EU. Prior to July 16, 2020, registering with the U.S. Department of Commerce under the E.U.-U.S. Privacy Shield Framework was an additional acceptable transfer mechanism.
However, on July 16th, 2020, the Schrems II decision by the CJEU (Court of Justice of the European Union) invalidated the EU-U.S Privacy Shield Framework as a method for transferring and protecting personal data lawfully outside the EU. While not invalidated as transfer mechanisms, SCCs and BCRs have also been affected by this decision.
The Swiss-U.S. Privacy Shield Framework has similarly been found insufficient as a transfer mechanism.
What should I do if I am currently relying on Privacy Shield as my transfer mechanism?
If you are already registered with the US Department of Commerce under the EU-U.S. Privacy Shield Framework, you should keep in mind that your existing commitments to the Privacy Shield Framework remain enforceable by the U.S. Federal Trade Commission.
The U.S. Department of Commerce has indicated that it will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List.
You will also need to implement a new transfer mechanism — most likely SCCs.
SCCs are another method to transfer personal data lawfully outside the EU and ensure that personal data remains protected in accordance with EU law. They consist of non-negotiable language approved by the European Commission for agreements governing the transfer of personal data outside the EU.
As mentioned above, following Schrems II, the current version of the SCCs alone is likely not enough for compliance. Guidance suggests companies will need to conduct data transfer “risk assessments” and implement “supplemental measures” (such as, but not limited to, encryption of data in transit, and contractual or policy commitments from your website builder restricting government access to data) to transfer data lawfully to the U.S.
We note that while BCRs, like SCCs, were not invalidated by Schrems II, they still may not be sufficient without more. While BCRs might be an option for your business, typically they are best suited for multinational companies due to the amount of time and expense it takes to implement them.
We will continue to update this FAQ with more specific instruction as EU regulatory authorities issue additional guidance over the coming months.
What if I do not rely on Privacy Shield as a transfer mechanism?
Even if you do not rely on Privacy Shield, you may need to re-assess any data transfers that you may be conducting from EU Member States to a country located outside the EU (whether the US or another country). In particular, you should ensure that appropriate safeguards are in place to ensure the protection of personal data in accordance with EU requirements in relation to international data transfers of EU personal data (e.g., in relation to an initial data transfer from the EU or in onward transfers outside the EU).