KEY FIGURES
As of July 16, 2020, it is no longer possible to transfer data from outside the EU to the USA by referring to the Privacy Shield. This is because the CJEU, following the Schrems II case, invalidated the Privacy Shield agreement, which did not offer European users transparency in the management of data on American soil, and a strong assurance of the security of such data with regard to possible data breaches permitted by laws such as the Cloud Act, to which the majority of American companies and public cloud providers are subject. (Read more about the full decision here.)
This sudden decision, in a business context already marked by the Covid-19 health crisis, means that companies need to react very quickly if they are not to find themselves in an illegal situation when exchanging data with their American partners, customers or cloud suppliers.
So what are the immediate options available to European companies?
What is the privacy shield?
Entering into force on August 1, 2016, the ” Privacy shield ” allowed European companies to transfer data to the USA to other companies also subject to this agreement.
The EU-US Data Shield framework has been designed to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring data. (Find out more about suitability determination.)
The Privacy Shield offered significant benefits to US-based organizations, as well as to their partners in Europe. These include:
- EU Member States’ requirements for prior approval of data transfers are either removed, or approval will be granted automatically; and
- Compliance requirements are clearly defined and cost-effective, which should particularly benefit small and medium-sized businesses.
Following the CJEU’s decision to annul the agreement governing data sharing between Europe and the USA, a wave of uncertainty and questioning has swept through the IT and legal departments of European companies. They are obliged to quickly find an alternative to continue their activities with the United States.
What are the alternatives for European companies?
Companies are responsible for ensuring that their contacts outside the EU apply legislation similar to European data protection legislation. If this is not the case, the interlocutor has a duty to inform the company exporting the data of its inability to comply with the legislation.
SCC
Although the CJEU invalidated the Privacy Shield agreement, it also confirmed the validity of the Standard Contractual Clauses (SCC). ( See Press Release )
This is a first alternative for companies wishing to continue trading with the USA. The Standard Contractual Clauses are model contracts for the transfer of personal data adopted by the European Commission. The Model Contractual Clauses are still valid, and can be used until they are updated.
A distinction is made between Standard Contractual Clauses governing transfers
These clauses still allow European companies to legally share data outside the EU, notably with the USA. However, with US extraterritoriality laws, there’s no guarantee that this will still be the case in the months or years to come.
The RGPD
To date, it remains the best legal protection for European companies, ensuring that data exchanged between non-EU countries and the USA will not be violated. But American companies must also agree to abide by it.
Read also RGPD issues in the face of growing use of the public cloud
And what about European technological innovation?
Another alternative would be to adopt security solutions made in Europe, which ensure :
- Exchange sensitive data with complete confidence
- Collaborative working between partners via secure inter- or extra-EU channels.
- Data protection even before it is stored in public clouds, most of which are American.
- Data transport and sharing security
- Authenticity and integrity of shared data
- Exclusive data access control by the data owner.
Following the example of our PARSEC secure storage and sharing solution , Europe, and France in particular, has no shortage of innovative solutions for maintaining the sovereignty of states and companies. In addition, these increasingly open source solutions offer the transparency, agility and mobility that proprietary solutions do not.
Sources
Court of Justice of the European Union: The Court invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield
Privacy Shield Program Overview | Privacy Shield
Standard Contractual Clauses of the European Commission | CNIL
InfoCuria: JUDGMENT OF THE COURT (Grand Chamber) – July 16, 2020
