On 16 July 2020 the EU-US Privacy Shield was ruled invalid by the Court of Justice of the European Union (CJEU), in a case commonly referred to as “Schrems II”.
This landmark ruling will have immediate implications for thousands of companies currently sharing European data with the US.
What is the background to this ruling?
European data protection law says personal data can only be transferred out of the EU, to the United States or elsewhere, when appropriate safeguards are in place. Initially, one such safeguard was the Safe Harbor agreement, which existed for several years.
Safe Harbor was signed up to by many organisations wanting access to European personal data, requiring them to maintain high privacy standards when importing EU Data Subject data to the US.
In 2013, after leaks by ex-CIA contractor Edward Snowden revealed the extent of US surveillance of non-US citizens, Mr Max Schrems an Austrian privacy campaigner, filed a complaint against Facebook for transferring EU users’ data to the US.
The complaint led to the CJEU overturning the Safe Harbor agreement. The EU-US Privacy Shield (a self-certification with the US Department of Commerce and commitment to comply with the framework requirements) was designed as a replacement to govern the transfer of EU citizens’ data to the United States.
But the Privacy Shield has also now been ruled inadequate after Mr Schrems argued that US national security laws did not protect EU citizens from the activities of the US intelligence services.
The CJEU’s finding is that “the requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country”, and that mechanisms in the EU-US Privacy Shield intended to lessen this interference and were not up to the required legal standard of ‘essential equivalence’ with EU law.
So, what does this mean for European businesses?
Many businesses relied on the Privacy Shield for free flow of data. These firms now will be required to review how they can continue to transfer European personal data outside the EU. Options might include:
1. Stopping the transfer of European personal data out of the EU
2. Signing of Standard Contractual Clauses (SCC) with the European data exporter, which include all the relevant EU approved clauses to allow for the international transfer of data.
3. Binding Corporate Rules (“BCRs”), approved by one or several of the European data protection supervisory authorities, are also an option within a corporate group.
What does this mean for Rhetorik clients?
All individuals within the NetFinder database have been notified that their personal data is being processed by Rhetorik. This notice also links to our Data Privacy & GDPR website page, where it is made clear that the personal data might be transferred out of the EU, and that it might be used for direct marketing purposes by our clients – subject to national e-privacy legislation.
Our Licence Agreement already echoes the requirements highlighted by the 2010 Commission Decision on SCC and our internal processing and hosting occurs in Europe and Canada, which is governed under Adequacy Decision.
Further, Rhetorik is currently reviewing its mechanism of B2B data transfer outside the EU. If you have licensed European personal data (in the form of business card information) from Rhetorik, and it is currently processed outside the UK or EU (for instance your CRM is hosted in the US), please get in touch to discuss possible additional measures to ensure the highest level of protection of the rights of the Business Cards Owners.
And do please Contact Us if you have any questions about Rhetorik’s approach to compliance, with this and other data legislation.