Failure to ensure adequate levels of data protection may result in heavy fines, and/or the complete shutdown of personal data transfers across international lines.
What is a Cross-Border Data Transfer?
For those unaware, a cross-border transfer is any transfer of personal data from one country to another – the issue frequently arises in the transfer of data from countries inside the EU to those outside of the European Economic Area. To put this into perspective, cross-border transfer obligations even attach to transfers within the same company. For example, transfers of personal, non-anonymized data (such as an employee’s name and address) from an HR employee in Germany to an HR employee in the U.S. is considered a cross-border transfer, and conducting such a transfer without appropriate privacy protocols in place may result in monetary penalties.
Privacy Shield and the CJEU Ruling in Schrems II
The Privacy Shield framework was designed to create a standardized methodology for securing private data transferred from the EEA to the US. Though its name suggests strong protection from GDPR fines and violations during cross-border data transfers, Privacy Shield ended up as nothing more than a Maginot Line, breached by the first court to apply real scrutiny. This week, the Court of Justice for the European Union (CJEU) invalidated Privacy Shield through its decision in Schrems II. The court found that that the U.S. Privacy Shield framework does not comply with GDPR guidelines because of the manner in which the U.S. government monitors its citizens. Ultimately, the CJEU reasoned that U.S. surveillance laws (more specifically, the lack of any protections for individuals related thereto) provide broad powers to the US government, which do not limit the processing of data to “what is strictly necessary.” This ruling has broad implications on how businesses conduct their operations, even if they are not Privacy Shield certified. It affects any business that conducts cross-border transfers of personal data.
What Should You Do?
Though some may read this article and think that they lucked out by never pursuing Privacy Shield certification despite their companies’ own cross-border transfers of data, the duty of compliance with GDPR transfer rules has not died with Privacy Shield. All companies that conduct cross-border transfers, including those that are not Privacy Shield certified, must begin implementing internal measures to guard against the risk of data breach and loss of said data. At a minimum, companies should meet with their Cybersecurity, IT, HR, and Legal teams on a regular basis to evaluate their data flow, including (i) what data they have (ii) where it is stored, (iii) what protections they have in place to secure that data; and (iv) what legal requirements must be met before such transfers can take place.
For more information data privacy matters, please contact a Kerr Russell attorney.
Jeffrey A. May practices in the areas of general business law, intellectual property, and litigation with a focus on the increasingly important area of Cybersecurity and Data Privacy Law. He is credentialed as a Certified Information Privacy Professional/United States (CIPP/US). He has prior experience owning and operating a technology-based business. His experience and education allow him to assist clients with a wide range of business issues and litigation matters. Jeffrey helps clients identify and mitigate risks related to data security incidents and breaches. He also helps with information technology policies and practices, and data sharing arrangements with third parties.
Nezar G. Habhab has a broad transactional practice handling matters related to leasing and purchasing, mergers and acquisitions, entity formation, commercial contracts, as well as data privacy. He works as part of firm’s Data Privacy and Cybersecurity team to draft and review company policies, facilitate cross-border data transfer arrangements, and counsel clients on the risks associated with the control and processing of data around the globe. Additionally, Nezar is experienced in drafting and negotiating a variety of artist, influencer, branding, and licensing agreements in the experiential and marketing space for both SAG-AFTRA and non-SAG talent.
Other posts to consider: