In a landmark decision, the Court of Justice of the European Union (CJEU) has declared the Privacy Shield agreement to be invalid. What does this mean for businesses that transfer data between the E.U. and the U.S.? How can you ensure you’re not exposing the business to risk?
In this article, we will take a look what legal departments can do to ensure compliance and how they can leverage legal tech to help.
What is Privacy Shield?
Back in 2013, Edward Snowden, the famous American whistleblower, disclosed information about surveillance activities of the U.S. national security agencies, which led to many legal challenges surrounding international data transfers between Europe and the U.S. One of the most effective challenges was brought by privacy activist Maximilian Schrems against Facebook Ireland, regarding the export of data to Facebook Inc. in California. This led the CJEU to declare the Safe Harbor agreement invalid in 2015.
The Privacy Shield agreement was intended to replace the Safe Harbor agreement. Furthermore, it was meant to act as a workaround for the General Data Protection Regulation (GDPR), by creating protections in the U.S. for European data that are equivalent to the data protection rights for people in the E.U.
Last December, the CJEU began to question the validity of the agreement based on U.S. surveillance practices. Privacy Shield was declared invalid on the grounds that it provides inadequate protections for the privacy and data protection rights of people whose personal information is transferred from Europe to the U.S.
Failure to comply has major regulatory implications for organisations that transfer data between the E.U. and the U.S. Organisations that fail to comply with the GDPR can face hefty fines of up to 4% of the worldwide revenue of 20 million (whichever is greater). The fact that Privacy Shield has been declared invalid has left legal departments wondering how they can still safely transfer data outside the E.U.
What should my legal department do now?
One of the immediate actions you can take is to put standard contract clauses in place between your business and the U.S. business where you plan to transfer data. However, this may only be a short-term solution since the ruling casts doubt whether they are sufficient as a long-term method for data transfers outside the E.U.
This also highlights the need for legal departments to have an overview of what personal data are stored and where they are transferred and make sure they comply with any regulations. However, this can be a time-consuming task if this information is scattered throughout the organisation. Investing in an all-in-one legal management solution, like Legisway, allows you to store all your legal information in one place. You can easily find the information by conducting a full-text search.
Using Legisway, you can create accurate reports to help you analyse and stay in control of data processing activities. For example, you can generate a report to show all data processes where the processor is in a particular country, or contracts where the counterparty is located in the U.S. With a detailed overview, your legal department is able to demonstrate compliance and avoid exposing the business to risks.
Any data that flows outside the E.U. has been impacted by the CJEU’s decision to declare Privacy Shield invalid. Therefore, your legal department must examine all data flows and take measures to ensure compliance. Leveraging legal technology like Legisway allows you to demonstrate compliance to stakeholders. Download the brochure and discover how Legisway can help you simplify the management of legal information, control risk and share data with other departments.