On September 18, 2020, Brazil’s data protection law (Lei Geral de Proteção de Dados Pessoais, or “LGPD”) became retroactively effective August 16, 2020.  Penalties do not begin until August 1, 2021, based on a previous delay passed by Brazil’s legislature. Brazil’s legislature previously rejected a provisional measure which would have postponed applicability of the LGPD.  In addition, Brazil’s president issued a decree creating a new data protection authority, the Autoridade Nacional de Proteção de Dados (“ANPD”).

Ultimately, the LGPD will affect organizations doing business in Brazil in a way none of the previous privacy laws and norms have. General data protection provisions and principles are already found in Brazil’s federal constitution, the Brazilian Civil Code, and laws and regulations addressing consumer protection and employment, particular sectors such as financial institutions, health care providers, or telecommunications services providers, and particular professional activities such as medicine or law. Although the country already had several sectoral privacy laws and more than 40 laws and norms at the federal level, the LGPD is the first law to provide a comprehensive framework regulating the use and processing of all personal data.  In light of today’s digital economy and the perpetually expanding use of personal data, companies in all sectors are going to have to adjust and adapt their data collection practices to Brazil’s LGPD.

Influenced by the GDPR, the law sets forth in 65 articles, the Brazilian conception of personal data and provides the legal basis for authorizing its use. A matchup comparing the LGPD to GDPR provided by the International Association of Privacy Professionals (“IAPP”) can be found here.

By way of summary:

Jurisdiction. Like GDPR, the LGPD provides for extra territorial jurisdiction. Under Article 3, a personal data processor is subject to LGPD when either: (1) the data is either collected or processed within Brazil; (2) the data is processed for the purpose of offering goods or services to individuals located in Brazil; or (3) the personal data was collected in Brazil. If one of these conditions is met, the headquarters of the company is irrelevant, and LGPD applies.

Scope of “personal data”.  Personal data is broadly defined to encompass any information regarding any identified or “identifiable” natural person. It also includes any data that can be aggregated to other data to identify the individuals. Given the rapid development of big data, this definition could be broadly interpreted to include almost any kind of data.

Sensitive personal data. Like GDPR, the law includes additional provisions specific to “sensitive personal data”, which is considered vulnerable to discrimination. This includes personal data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, health or sex life, and genetic or biometric data. Such data may only be processed in limited circumstances.

Consumer Rights.  Article 18 enumerates consumer rights and requires they be made known to consumers in an easily accessible manner. These rights include:

  1. Confirmation of the existence of the processing;
  2. Access to the data;
  3. Correction of incomplete, inaccurate or out-of-date data.
  4. Anonymization, blocking or deletion of unnecessary or excessive data or data processed in noncompliance with the provisions of this law.
  5. Portability of the data to another service or product provider, by means of an express request and subject to commercial and industrial secrecy, pursuant to the regulation of the controlling agency.
  6. Deletion of personal data processed with the consent of the data subject, except in the situations provided in Article 16 of this law.
  7. Information about public and private entities with which the controller has shared data.
  8. Information about the possibility of denying consent and the consequences of such denial.
  9. Revocation of consent.

Importantly, the LGPD expands upon the GDPR’s “right to be informed” by including both: (a) the right to be informed as to the entities with which data is shared and (b) the separate right to be informed as to what will happened if they refuse to consent. This provides greater transparency and understanding to consumers of the impact of their choices.

General principlesThe law lays out 10 principles that should be considered when processing personal data. These principles include purpose, suitability, necessity, free access, quality of the data, transparency, security, prevention, non-discrimination and accountability.  Ultimately, the extent of such consideration will assist the ANPD in determining whether a company is compliant.

Grounds for data processing.   Like the GDPR, the LGPD restricts data processing to certain enumerated scenarios as set forth in its text, one of which is after obtaining the valid consent of the data subject. Consent forms must be clear and include the purpose of processing, duration of processing, identity of the data controller, entities to whom the data will be disclosed and rights of the data subject, including their right to deny consent.

In the absence of valid consent, the law permits data processing in limited scenarios, including when processing is necessary to fulfill the legitimate interests of the controller. Importantly, these “legitimate interests” are subject to a balancing test against the data subject’s fundamental rights, in which those rights may ultimately outweigh the legitimate interests articulated.

Data Breaches.  The LGPD does not specify a timeline for data breach notification, but requires notice within a “reasonable time period” and that it contain certain specified information.  Controllers must also notify the ANPD and data subject if they experience a security incident that “may create risk or relevant damage to data subjects.”

Data Protection OfficerThe LGPD does require a data protection officer. However, unlike GDPR and other laws, Executive Order No. 869/18 indicates that the DPO does not have to be a natural person. Rather, companies, committees or other internal groups are able to serve as DPOs. Alternatively, an organization may even outsource the position to a third party, such as a specialized company or law firm.

National Data Protection Authority and Enforcement. Brazil’s ANPD will be responsible for overseeing all compliance and for conducting the aforementioned balancing tests. An initial provisions creating the ANPD was vetoed and, as a result, the ANPD was not officially established until the passage of Executive Order No. 869/18. Therefore, the ANPD is not yet fully operational.  Once it is stood up, the ANPD will have various enforcement tools and administrative penalties available, such as:

  • A formal warning with deadline for corrective measures.
  • Fines of up to 2% of the gross revenue of the company, limited to R$50 million (approximately $9.4 million US) per infraction.
  • Daily fines for noncompliance, cumulatively up to the same limit.
  • Public disclosure of the infraction after proper investigation and confirmation of its occurrence.
  • Blocking of the personal data involved in the infraction until the situation is corrected.
  • Elimination the personal data involved in the infraction.
  • Partial suspension of the database operation involved in the infraction for a maximum 6 month period extendable for the same period, until the activity is compliant.
  • Suspension of the processing activity involved in the infraction, for a maximum of 6 months with 6 month extension
  • Partial or total prohibition of engaging in personal data processing activities.

These penalties will only take effect in August 2021, and they must be applied directly by the ANPD. However, this body is not yet up and running since the relevant regulation on its internal structure and staffing by civil servants and political appointees was only issued at the end of August this year. The ANPD will thus be fundamental in regulating and issuing guidance about the various provisions and themes covered by the law.

Conclusion. More will be known once the ANPD is up and running with guidance and interpretation, and begins enforcement activities.  Much like the CCPA’s January 1, 2020 statutory compliance date and subsequent enforcement and regulations, companies are left in the meantime try and determine the best path to compliance.  In the meantime, companies need to be aware that the law is effective, and can be applied by the courts or other competent authorities.

 

On August 19, 2020, the California State Assembly on Appropriations ordered to a second reading Assembly Bill (“AB”) 1281, which would extend the exemption of the California Consumer Privacy Act (“CCPA”) in relation to employee information and business-to-business (“B2B”) transactions until January 1, 2022.  Specifically, AB 1281 would exempt information collected about a natural person in the course of such person acting as a job applicant, employee, owner, director officer, medical staff member, or contractor.  It would also exempt information reflecting a written or verbal communication or a transaction between the business and the consumer, if the consumer is a natural person who is acting as an employee, and whose communications or transactions with the business occur solely within the context of the business’s due diligence regarding a product or service. AB 1281 would only become operative if the California Privacy Rights Act (“CPRA” or “CCPA 2.0”) is not approved by voters during the November 2020 general election.

Two other bills, AB 660 and AB 1782, were also referred to the Appropriations Committee on August 19, 2020.  AB 660 would prohibit data collected, received, or prepared for purposes of contact tracing from being used, maintained, or disclosed for any purpose other than facilitating contact tracing efforts. It would also require all data collected, received, or prepared for purposes of contact tracing to be deleted within 60 days, except if that data is in the possession of a state or local health department.  AB 1782 would create the Technology-Assisted Contact Tracing Public Accountability and Consent Terms Act.  This would generally regulate public health entities and businesses that provide technology-assisted contact tracing. AB 1782 would also require a business or public health entity offering technology-assisted contact tracing to provide a simple mechanism for a user to revoke consent for the collection, use, maintenance, or disclosure of data and permit revocation of consent at any time.

To view AB 1281, click here.

To view AB 660, click here.

To view AB 1782, click here.

On Friday, August 14, 2020, the California Attorney General released the final CCPA regulations issued under the California Consumer Privacy Act of 2018 (“CCPA”) as approved by the California Office of Administrative Law (“OAL”), and filed them with the California Secretary of State.  During its review, the OAL made additional revisions to the CCPA regulations, which it stated were “non-substantive” and primarily for accuracy, consistency, grammar, and clarity, and for eliminating unnecessary or duplicative provisions. Per the Attorney General’s request, the regulations became effective on August 14, 2020, the day they were submitted to the Secretary of State by the Attorney General.

To view the final CCPA regulations, click here.

To view a redline version of the additional changes made by the OAL to the Attorney General’s proposed regulations, click here.

To view OAL’s statement of reasons detailing its additional changes, click here.

Yesterday, on August 10, 2020, the European Commission (“Commission”) and the Department of Commerce (“DoC”) issued a joint statement announcing they are beginning discussions to evaluate potential enhancements to the EU-U.S. Privacy Shield framework.  These discussions have begun to address compliance with the recent Schrems II decision by the Court Justice of the European Union (“CJEU”).  Both entities recognized the importance of data protection in the EU and the U.S. as well as the significance of cross-border data transfers to the “nearly 800 million citizens on both sides of the Atlantic.” They also noted their shared commitment to privacy and the rule of law, as well as to further deepening their economic relationship.

To view the joint statement on the Commission’s website, click here.

To view the joint statement on the DoC’s website, click here.

Vermont Amends Data Breach Notification Law

On July 1, 2020, amendments to Vermont’s Security Breach Notice Act, 9 V.S.A. §§ 2330 & 2335, took effect along with a new “Student Online Personal Information Protection Act.”

Key amendments to the security breach act include:

  • An expanded definition of Personally Identifiable Information (“PII”). The definition now adds various ID numbers, unique biometric data, genetic information, and certain health or wellness records.
  • Expanded definition of security breach to include “login credentials”. Login credentials are defined by the amendment as “a consumer’s user name or email address in combination with a password or an answer to a security question that together permit access to an online account.”  Businesses should consider login credentials and PII as the same when considering whether breach occurred and whether a business has a general duty to notify, but login credentials differ from PII in how and to whom notice must be provided.
    • If only login credentials are breached (without breach of actual PII), a data collector is only required to notify the Vermont Attorney General (or the Department of Finance, as applicable) if the login credentials were acquired directly from the data collector or its agent. The law specifies different notification requirements depending on whether the breached login credential would permit access to an email account.
  • Narrows the Permissibility of Substitute Notice. Previously, substitute notice was permitted when the class of affected consumers to be provided written or telephonic notice exceeded 5,000, the cost of direct notice would exceed $5000, or the data collector did not have sufficient contact information. Now, substitute notice is only permitted where the lowest cost of providing notice to affected customers via written, email, or telephonic notice would exceed $10,000. This revision included e-mail as a permissible form of notice and eliminated the number of affected consumers exceeding 5,000 as a basis for providing substitute notice.  Because email allows companies to provide mass notice to affected customers in a timely manner at low cost, it will be more difficult for data collectors to reach that $10,000 minimum.

Vermont Enacts New Student Privacy Law

Vermont’s new Student Online Personal Information Protection Act updates its privacy law to include regulations specifically concerning the data of pre-K to 12th grade students. The law applies to website operators, online services, or mobile applications designed and marketed to, and used primarily by, pre-K to 12th grade schools.

Under the new law, enforceable by the Vermont Attorney General, operators are generally prohibited from:

  • Engaging in targeted advertising based on any information the operator has acquired because of the use of its site, service, or application for PreK-12 purposes;
  • Using information that is created or gathered by the operator’s site, service, or application to amass a profile about a student, except for PreK-12 purposes;
  • Selling, bartering, or renting a student’s information; or
  • Disclosing covered information to a third party, unless a specific exception applies (including certain disclosures for educational purposes).

Operators are also required to: (a) implement and maintain reasonable security procedures and practices; (b) delete a student’s covered information within a reasonable time period if the school or school district requests it; and (c) publicly disclose and provide the school with material information about the operator’s collection, use, and disclosure of covered information, including publishing terms of service, a privacy policy or similar document.

Operators may use or disclose covered information as required by law. Operators may also use covered information for legitimate research purposes in certain circumstances and to disclose the information to a state or local education agency for PreK-12 purposes, as permitted by State or federal law.  Operators are also not prohibited from using covered information in the following scenarios so long as the information is not associated with an identified student within the operator’s control (sites, services, applications, products, or marketing):

  • Improving educational products;
  • Demonstrate the effectiveness of the operator’s products or services, including their marketing;
  • Development or improvement of educational sites, services, or applications;
  • Using recommendation engines to recommend to a student (1) additional content or (2) additional services, in which both relate to an educational, other learning, or employment opportunity purpose, so long as the recommendation is not determined in whole or in part by payment or other consideration from a third party; or
  • Responding to a student’s request for information or feedback without the response being determined by payment or other consideration

This subchapter does not:

  • Limit the authority of law enforcement to lawfully obtain content or information;
  • Limit the ability of an operator to use student data for adaptive or customized student learning purposes;
  • Apply to general audience websites, online services, online applications, or mobile applications
  • Limit service providers from providing Internet connectivity to schools, students, or their families;
  • Prohibit an operator from marketing educational products directly to parents;
  • Impose a duty upon a provider of an electronic store, gateway, marketplace, or other means or purchasing or downloading software to review or enforce compliance of this law;
  • Impose a duty upon a provider or an interactive computer service to review or enforce compliance with this law;
  • Prohibit students from downloading, exporting, transferring, saving, or maintaining their own student-created data or documents; or
  • Supersede the federal Family Educational Rights and Privacy Act (FERPA) or rules adopted pursuant to the Act.

Finally, the law requires the Vermont Attorney General, in consultation with the Vermont Agency of Education, to examine the issue of student data privacy as it relates to FERPA and access to student data by data brokers, and determine whether to make any recommendations.

 

This post was co-authored with Kaylee Rose, first-year law student at Cumberland School of Law:

On July 21, 2020, the New York State Department of Financial Services (NYDFS) filed charges against First American Title Insurance Company (First American) for breach of state cybersecurity regulations. Specifically, NYDFS alleges that First American exposed tens of millions of documents containing consumers’ sensitive personal information, including bank account numbers and statements, mortgage and tax records, social security numbers, wire transaction receipts, and drivers’ license images. The statement of charges against First American state that from October 2014 through May 2019, a vulnerability in First American’s website exposed customers’ personal data. The statement of charges also claim that First American failed to adequately remedy the vulnerability when it was eventually discovered.

First American is charged with violating multiple provisions under the NYDFS’s cybersecurity regulations. These regulations require regulated entities, like insurance providers, to establish and maintain an adequate cybersecurity program and procedures. First American is the first entity to be charged under these regulations, which came into effect in 2017.

 

 

The National Security Agency (NSA) and Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint alert warning that, over recent months, hackers have been attempting to target Critical Infrastructure (CI) by exploiting Internet-accessible Operational Technology (OT) assets. The alert notes recently observed tactics from the hackers, including spear phishing and ransomware.  The alert recommends that owners and operators of CI take immediate steps to ensure the safety of their systems. The alert recommends that owners and operators: (1) have a resilience plan for OT, (2) exercise an incident response plan, (3) harden their networks, (4) create an accurate “as-operated” OT network map, (5) understand and evaluate cyber-risk on “as-operated” OT assets, and (6) implement a continuous and vigilant system monitoring program.

To view the Joint Alert, click here.

On July 21, 2020, the New York State Department of Financial Services (NYDFS) filed charges against First American Title Insurance Company (First American) for breach of state cybersecurity regulations. Specifically, NYDFS alleges that First American exposed tens of millions of documents containing consumers’ sensitive personal information, including bank account numbers and statements, mortgage and tax records, social security numbers, wire transaction receipts, and drivers’ license images. The statement of charges against First American state that from October 2014 through May 2019, a vulnerability in First American’s website exposed customers’ personal data. The statement of charges also claim that First American failed to adequately remedy the vulnerability when it was eventually discovered.

First American is charged with violating multiple provisions of the NYDFS’s cybersecurity regulations. These regulations require regulated entities, like insurance providers, to establish and maintain an adequate cybersecurity program and procedures. First American is the first entity to be charged under these regulations, which came into effect in 2017.

To read the Notice of Charges, click here.

We previously posted on yesterday’s Schrems II decision issued by the Court of Justice of the European Union (CJEU). Today (Jun 17, 2020), the Berlin data protection authority (Berlin DPA) went even further than the CJEU opinion, issuing a statement on the Schrems II case, calling for Berlin-based data controllers storing personal data in the US to transfer the same to Europe.  The DPA stated that data should not be transferred to the US until that legal framework is reformed.  In addition, regarding the SCCs that were cautiously validated by the CJEU, the Berlin DPA stated that European data exporters and third country data importers must check, prior to transferring data, whether the third country has state access to the data that exceeds that permitted under European law. If such access rights exists, the Berlin DPA stated, the SCCs cannot justify the data transfer to such third country. The Berlin DPA thus requested all data controllers to observe and comply with the CJEU’s judgment. In practice, the Berlin Commissioner provided that data controllers transferring data to the US, especially when using cloud service providers, are now required to use service providers based in the EU or in a country with an adequate level of protection.

This could impact the ability of Berlin-based companies to transfer personal data to their US subsidiaries or other US-based vendors or business partners.

To read the press release (currently available only in German), click here.

On July 16, 2020, the Court of Justice of the European Union (“CJEU” or “Court”) issued a significant judgment in Case C-311/18 (“Schrems II decision”) on the adequacy of protection provided by the EU-US Data Protection Shield. The court concluded that the Standard Contractual Clauses (“SCCs”) issued by the European Commission for the transfer of personal data to processors outside of the EU continue to be valid. However, the Court also invalidated the E.U.-U.S. Privacy Shield framework. In our post below, we: (I) provide some background on the events leading up to today’s decision; (II) summarize today’s decision and (III) provide some reflection on what it means for U.S. organizations that transfer personal data from Europe.

I. Context/Background.

The Schrems II decision is the latest in a series of decisions regarding privacy advocate Maximilian Schrems (“Max Schrems”), who filed a complaint in 2015 with the Irish Data Protection Commissioner challenging Facebook Ireland’s reliance on standard contractual clauses (“SCCs”) as a legal basis for transferring personal data to Facebook Inc. in the United States. Facebook turned to the SCCs after the CJEU had invalidated the US-EU Safe Harbor framework in 2015 upon Max Schrems’ earlier complaint.

The General Data Protection Regulation (‘the GDPR’) provides that the transfer of personal data to a third country may, in principle, take place only if the third country in question ensures an “adequate level of data protection”. According to the GDPR, the Commission may find that a third country ensures, by reason of its domestic law or its international commitments, an adequate level of protection. In the absence of an adequacy decision, such transfer may take place only if the personal data exporter established in the EU has provided appropriate safeguards, which may arise, in particular, from standard contractual clauses adopted by the Commission, and if data subjects have enforceable rights and effective legal remedies. Furthermore, the GDPR details the conditions under which such a transfer may take place in the absence of an adequacy decision or appropriate safeguards.

Max Schrems, an Austrian national residing in Austria, has used Facebook since 2008. The personal data of Mr. Schrems (and other European nationals) is transferred by Facebook Ireland to Facebook servers located in the United States, where it is processed. Mr. Schrems lodged a complaint with the Irish data protection authority (“DPA”) seeking to prohibit those transfers. He claimed that U.S. laws and practices do not sufficiently protect against access to the transferred data by U.S. public authorities. Specifically, he was concerned that EU personal data might be at risk of being accessed and processed by the U.S. government once transferred, in a manner inconsistent with privacy rights guaranteed in the EU, and that there is no remedy available to EU citizens to ensure protection of their personal data after it is transferred to the U.S. Mr. Schrems’ complaint was rejected at the time on the basis, among others, that the Commission had already found that the U.S. Safe Harbor Framework did ensure an adequate level of protection in Decision 2000/5205 (“the Safe Harbour Decision”).

Following his complaint, the Irish DPA brought proceedings against Facebook in the Irish High Court, which referred 11 questions to the CJEU for a preliminary ruling. These questions primarily addressed the validity of the SCCs, but also raised concerns about the E.U.-U.S. Privacy Shield framework. On October 6, 2015, the CJEU declared that the Safe Harbour Decision to be invalid (“the Schrems I judgment”), thus invalidating the EU-US Safe Harbor Framework and annulling the rejection of Max Schrems’ complaint.

In light of the Schrems I judgment, the Irish DPA then asked Mr. Schrems to amend his complaint. In his amended complaint, Mr. Schrems claimed that the U.S. still does not sufficiently protect data transferred to that country, and sought to suspend or prohibit future transfers of his personal data from the EU to the United States. Meanwhile, Facebook Ireland had begun carrying out data transfers pursuant to the alternative method of standard contractual clauses (“SCCs”) set out in the Annex to Decision 2010/87 (“SCC Decision”), which provides standard contractual clauses which could be used for data transfers to countries that had not been deemed adequate.

Since the outcome of Mr. Schrems’ amended complaint hinged upon the validity of the SCC Decision, the Irish DPA brought proceedings before the High Court in order for it to refer questions to the Court of Justice for a preliminary ruling. After the initiation of those proceedings, the Commission adopted Decision 2016/1250 on the adequacy of the protection provided by the E.U.-U.S. Privacy Shield (‘the Privacy Shield Decision’).

In today’s decision, the Irish High Court asked the CJEU whether: (1) the GDPR applies to transfers of personal data pursuant to the SCCs from Decision 2010/87, and what level of protection is required by the GDPR in connection with such a transfer and (2) what obligations are incumbent on supervisory authorities in those circumstances. The High Court also raised the question of the validity of both (3) the 2010 SCC Decision and (4) the 2016 Privacy Shield Decision.

II. Summary of Today’s CJEU Decision

In today’s decision, the Court stated that:

(1) GDPR Applies to Data Transfers. EU Law, and the GDPR in particular, applies to the transfer of personal data for commercial purposes by an economic operator established in a Member State to another economic operator established in a third country, even if, at the time of that transfer or thereafter, that data may be processed by the authorities of the third country in question for the purposes of public security, defense and state security. The Court adds that this type of data processing by the authorities of a third country cannot preclude such a transfer from the scope of the GDPR. The requirements of the GDPR concerning appropriate safeguards, enforceable rights, and effective legal remedies must be interpreted as meaning that data subjects whose personal data are transferred to a third country pursuant to SCCs must be afforded a level of protection essentially equivalent to that guaranteed within the EU by the GDPR, read in the light of the Charter. The assessment of that level of protection must take into consideration both: (a) the contractual clauses agreed between the data exporter established in the EU and the data importer recipient established in the third country concerned and, (b) the relevant aspects of the third country’s legal system regarding access by public authorities of that third country.

(2) Obligations of Supervisory Authorities. Regarding obligations of supervisory authorities (such as the Irish DPA) in connection with such a transfer, the CJEU held that, unless there is a valid Commission adequacy decision, those competent supervisory authorities are required to suspend or prohibit a transfer of personal data to a third country where the DPA takes the view, in the light of all the circumstances of the transfer, that the SCCs are not or cannot be complied with in that country and that the protection of the data transferred that is required by EU law cannot be ensured by other means, where the data exporter established in the EU has not itself suspended or put an end to such a transfer.

(3) Validation of SCC Decision. The Court found that Decision 2010/87 (SCC Decision) sufficiently establishes effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by EU law and to ensure that transfers of personal data pursuant to such clauses a suspended or prohibited in the event of the breach of such clauses or it being impossible honor them. Specifically, the Court pointed out that, in particular, that that decision imposes an obligation on a data exporter and the recipient of the data to verify, prior to any transfer, whether that level of protection is respected in the third country concerned and that the decision requires the recipient to inform the data exporter of any inability to comply with the standard data protection clauses, the latter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the former. The court also emphasized the EU organizations relying on them must take a proactive role in evaluating, prior to any transfer, whether there is in fact an “adequate level of protection” for personal data in the data importer’s jurisdiction. The Court stated that many organizations may implement additional safeguards to ensure an “adequate level of protection” for personal data transfers, although it was not specific on what those additional safeguards might be. Further, non-EU organizations importing data from the EU based on SCCs must inform data exporters in the EU of any inability to comply with the SCCs. When non-EU data importers are unable to comply with the SCCs, and there are not additional safeguards in place to ensure an “adequate level of protection”, the EU data exporter must suspend the transfer of data and/or terminate the contract.

(4) Invalidity of Privacy Shield Decision. Finally, the CJEU decided, unexpectedly, to examine and rule on the validity of the EU-U.S. Privacy Shield framework. In invalidating the Privacy Shield, the Court took the view that “the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by U.S. public authorities of such data transferred from the European Union to the United States, which the Commission assessed in the Privacy Shield Decision, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law…” Specifically, the CJEU found, the Privacy Shield and its Ombudsperson mechanism “does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law, such as to ensure both the independence of the Ombudsperson provided for by that mechanism and the existence of rules empowering the Ombudsperson to adopt decisions that are binding on the US intelligence services.” For these reasons, the Court declared the Privacy Shield Decision to be invalid.

III. What this Means for U.S. Organizations

Therefore, while the SCCs remain valid under today’s decision, organizations that currently rely on SCCs will need to consider whether there is still an “adequate level of protection” for the personal data as required by EU law, taking into account the nature of the personal data, the purposes and context of the processing, and the country of destination. Where that is not the case, organizations should consider what additional safeguards may be implemented to ensure there is in fact an “adequate level of protection.”

Further, organizations that currently rely on the EU- U.S. Privacy Shield framework will need to urgently identify an alternative data transfer mechanism to continue transfers of personal data to the U.S. These may include the SCCs that remain valid (along with any additional safeguards as necessary). Alternatives may also include derogations provided in the GDPR for certain transfers (such as when the transfer is necessary to perform a contract), or Binding Corporate Rules (“BCRs”) as set forth in the GDPR.

To read the CJEU decision, click here.

To read the CJEU press release, click here.