The Department of Commerce Continues Efforts to Address Cross-Border Data Transfers Under the GDPR After the Invalidation of the Privacy Shield

By Anna Mercado Clark, CIPP/E, CIPP/US, CIPM, FIP on August 12, 2020

Posted in GDPR, International, New Court Decisions

U.S. Department of Commerce and European Commission Release Joint Press Statement

On August 10, 2020, the U.S. Secretary of Commerce, Wilbur Ross, and the European Commissioner for Justice, Didier Reynders, released a Joint Press Statement (“Press Statement”) regarding the status of Privacy Shield discussions in light of the Schrems II decision. The Schrems II decision declared that the EU-U.S. Privacy Shield Framework was not a valid mechanism to transfer personal data from the European Economic Area (EEA) to the U.S., which we address in greater detail in a recent Client Alert.

The U.S. Department of Commerce and the European Commission announced that they have initiated discussions to determine the potential for “an enhanced EU-U.S. Privacy Shield” that would comply with the Schrems II decision. Both parties recognize the “vital importance of data protection and the significance of cross-border data transfer to our citizens and economies,” and reiterate a commitment to privacy and the rule of law, as well as the longstanding collaboration between the EU and the U.S.

While the statement does not detail what an enhanced EU-U.S. Privacy Shield Framework might look like, it indicates that an agreement on a new framework is a priority for both entities and could be announced sooner than previously anticipated. It remains to be seen how the new framework will seek to address the Court of Justice of the European Union’s concerns regarding the incompatibility of U.S. surveillance laws with the privacy protections afforded by the General Data Protection Regulation (GDPR).

The full U.S. Department of Commerce Press Statement may be viewed here, and the full European Commission Statement may be viewed here.

Department of Commerce Provides FAQs on EU-U.S. Privacy Shield Framework

The U.S. Department of Commerce has provided an update to the FAQs on the EU-U.S. Privacy Shield Framework in regards to the Schrems II decision. The updated FAQs include five questions that seek to address issues of concern for entities currently certified under the Privacy Shield Framework and entities who are considering applying for certification.

The updated FAQs provide the following guidance:

The Privacy shield is not a valid mechanism of transfer when transferring personal data from the EEA to the U.S. The FAQs explicitly state that this does not relieve current participants of the program from their obligations under the Privacy Shield.
Consistent with guidance from the European Data Protection Board, there is no grace period during which organizations can continue to use the Privacy Shield as a basis to transfer personal data to the U.S.
Participants are advised to continue to abide by the Privacy Shield Framework to demonstrate a serious commitment to protect personal information and recourse for data subjects under the GDPR.
Re-certification under the Privacy Shield and details of how the U.S. Department of Commerce will continue to process submissions and re-certifications is addressed.
Withdrawal from the program is discussed, and the relevant links and information for entities that wish to do so are provided.

The full FAQs may be viewed here.

Phillips Lytle will continue to post updates regarding further developments. For more information or for legal assistance, please contact Anna Mercado Clark, CIPP/E at aclark@phillipslytle.com.

Menu

Data Security & Privacy

About Our Firm