On July 16, 2020, the European Court of Justice invalidated an agreement between the European Union (EU) and the United States Department of Commerce (USDOC) that established a safe harbor for U.S. companies to transfer data from the EU to the United States in compliance with the EU’s General Data Protection Regulation (GDPR). The court was concerned that the terms of the agreement, widely known as the “Privacy Shield,” failed to address the U.S. government’s prerogative to intercept transferred data.
Over 5,000 U.S. companies, including Facebook and Google, relied on the Privacy Shield to conduct business in the EU. The EU and the USDOC will now negotiate a new data privacy agreement.
Remaining Compliance Options
In light of the ruling, there remain two alternative mechanisms by which U.S. companies can transfer data from the EU to the United States in compliance with the GDPR: standard contractual clauses (SCCs) and binding corporate rules (BCRs).
SCCs are contractual provisions in which the U.S.-based data recipient agrees to comply with EU data protection regulations. SCCs can be included in contracts between unrelated EU and U.S. companies or in intercompany agreements between an EU company and its U.S. affiliates.
BCRs are internal company policies which require a company’s U.S. personnel to follow EU data privacy requirements in their operations.
Feel free to reach out to our Data Privacy and Data Protection Practice Group if you have any questions about to EU, U.S. or California data privacy compliance. Contact: Jed Weiner, Head of Corporate, at firstname.lastname@example.org.