Privacy Shield, a program created by the U.S. Department of Commerce in conjunction with the European Union and Switzerland to help U.S. organizations conform to EU data privacy law when handling data, was invalidated in a decision by the Court of Justice of the European Union on July 16, 2020. The Court first ruled the Privacy Shield framework was not adequate for protection of EU citizens’ data because of the limitations on U.S. public authorities’ access to the personal data of EU citizens was not restricted enough. Further, the Court objected to the lack of actionable rights given to EU citizens to lodge a complaint about the handling of their data to a governing body.
General Data Protection Regulation (GDPR)
For background, the General Data Protection Regulation (GDPR) law of the European Union provides robust protections for the personal data of EU citizens. Because this law does not apply to organizations outside the EU, individuals risk losing the law’s protections if their data is transferred overseas to the United States. As a result, the GDPR includes strict regulations for the removal of data outside the EU. In an attempt to assist organizations in complying with EU data laws, the U.S. Department of Commerce created Privacy Shield to provide a mechanism for organizations to transfer personal data from one side of the Atlantic to the other while maintaining compliance with European data privacy laws.
Privacy Shield was a voluntary program in which organizations implemented a detailed set of requirements regarding notice, choice, access, and accountability in their data handling practices. Though voluntary, once an organization joined Privacy Shield, the regulations imposed by the program had the force of law. An organization benefited by joining Privacy Shield because the security and privacy safeguards required by the program ensured that the company would also meet the minimum safety and privacy requirements of EU data privacy laws.
Though Privacy Shield no longer functions as a compliance mechanism for EU data privacy laws, organizations that have joined the program will be required to maintain its obligations. The U.S. Department of Commerce announced earlier this month that they have initiated discussions with the European Commission to determine whether an “enhanced EU-U.S. Privacy Shield framework” could be developed, while reconciling the differences in legal frameworks of surveillance, national security, and remedies for individuals. BrownWinick will continue to monitor the outcomes of these discussions.
For more information or questions
If you have questions regarding Privacy Shield, GDPR, or data privacy/security compliance, BrownWinick attorneys Caitlin Klingenberg and Thomas Story are available to help you navigate this complex and ever-changing space.