When Europe’s top court scrapped the European Commission’s second attempt at establishing a cast-iron mechanism to ensure secure data transfers across the Atlantic, businesses knew there would be a price to pay.
Following a list of “frequently asked questions” issued on July 24 by the European Data Protection Board (EDPB), the EU body in charge of regulating Europe’s compliance with data privacy and the General Data Protection Regulation (GDPR), however, it became apparent the legal and financial burden for companies might actually be worse than first thought.
On July 16 the Court of Justice of the European Union (CJEU) invalidated the EU-U.S. Privacy Shield, which allowed (on paper, at least) some 5,300-plus validated companies safe access to EU citizens’ data without fear of legal reprisals under EU privacy law.
Like its predecessor—known as Safe Harbor, which was scrapped in 2015—the Privacy Shield was axed over concerns raised by Austrian privacy campaigner Max Schrems that U.S. surveillance laws allowed the government access to EU citizens data, thereby violating EU regulations.
Yet—while the Privacy Shield was immediately dropped as a legal option—two other principal mechanisms remain open. While valid, however, neither are legally bulletproof any longer.
Standard contractual clauses (SCCs)—“off the shelf” template contracts prepared by the European Commission that have been relied on by businesses to facilitate transfers for nearly 20 years—were ruled to still be valid, but with caveats: The level of data protection in the third country has to be equivalent to that in the European Union and, if not, companies and EU data protection authorities will have to proactively suspend or prohibit transfers of personal data.
The other mechanism available to EU companies—and not mentioned in the CJEU judgment—are binding corporate rules (BCRs), which follow EDPB guidelines, have stringent accreditation requirements, and can take a long time to implement. As a result, they are not a popular option (only 135 companies have signed up to them).