Since the adoption of the General Data Protection Regulation (GDPR), U.S. companies have invested a great deal of time and money in their compliance efforts; yet for many, their work is far from complete. For U.S. data importers, the July 2020 invalidation of the EU-U.S. Privacy Shield has left former “self-certified Shield” companies forced to find a new mechanism by which to lawfully transfer EU data into the U.S. Many of these companies will likely adopt the new set of standard contractual clauses (SCCs), once they are finalized by the European Commission. In the meantime, rather than waiting for additional guidance from the EU, U.S. data importers can and should begin taking steps now, in anticipation of the forthcoming expanded obligations which will be imposed on data processors under the new SCCs, by making practical enhancements to their existing data protection protocols. In particular, they can:
- Review and amend existing Data Processing Agreements (DPAs) with EU data exporters in order to align these agreements with the European Data Protection Board (EDPB)’s recommendations of November 2020. These revisions will augment the obligations of U.S. data importers beyond what is currently required under Article 28(3) of the GDPR;
- Review and reinforce the physical, technical and organizational processes currently in place to protect EU personal data, keeping in mind the concerns raised[1] by European authorities over the access U.S. intelligence agencies have to EU data imported by U.S. companies; and
- Begin taking an inventory of all U.S. laws and regulations which may potentially mandate the communication and disclosure of EU personal information to both U.S. federal and state regulators in the process of regulatory investigations and courts in the context of litigation for the purpose of adopting new internal processes designed to review and challenge such disclosure requests in accordance with applicable law.
By taking these steps now, as opposed to waiting until the new SCCs have officially become law, U.S. processors will be better prepared when the new SCCs come into force. Additionally, a proactive strategy effectively demonstrates to EU data exporters that their U.S.-based processors understand and accept the seriousness of the EU concerns around personal data. Finally, U.S. data importers who prepare now will help position their EU counterparts in meeting their own new obligations following the Schrems II ruling, including documenting their compliance with the GDPR in the area of international data transfers.
If your company accesses personal data from the EU, and you would like assistance with your compliance efforts, please contact Stephan Grynwajc at stephan@outsidegc.com or 347-543-3035.
Stephan Grynwajc served as a senior in-house attorney for several blue-chip technology corporations (e.g., Intel and Symantec) in France, the U.K. and the U.S., and today, focuses his practice on advising U.S.-based clients on navigating the EU privacy landscape. stephan@outsidegc.com
[1] Both the Court of Justice of the European Union in its landmark Schrems II ruling on July 16, 2020 and the EDPB in its November 2020 recommendations have raised concerns, particularly since the passage of the CLOUD Act of 2018 which is seen as contravening the GDPR by circumventing the protections afforded to EU personal data under it.