Companies wishing to transfer personal data from the EU to the US will no longer be able to use the EU-US Privacy Shield certification.
On July 16, the Court of Justice of the EU declared the Privacy Shield framework invalid for transferring personal data of EU citizens to the US.
In the court case, the Privacy Shield was deemed insufficient to protect EU citizen data from the US National Security Agency (NSA): “[R]equirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country”.
Governments enter bi-lateral agreements on data transfer to protect the private data of their citizens from falling into the wrong hands. The Privacy Shield served as the basis for data transfer between the EU and US since 2016. Companies with Privacy Shield certification were permitted to transfer personal data of EU citizens to the US.
Those companies will no longer be able to rely on their Privacy Shield certification. Companies will now have to find a new mechanism to transfer data to the US lawfully.
Papaya’s Chief Legal and Compliance Officer Inbal Aviad said, “we are talking about a significant change in the privacy world, not only regarding transferring data between US and Europe, that will affect almost all companies, especially those who are processing (or involved in processing) HR data like Papaya. We will need to implement a new mechanism for safeguarding EU data, like the Standard Contractual Clauses, but not only.”
Ms. Aviad added, “Countries recognized as Adequate by the EU are in a better position in this situation.”
Court: SCC Transfers Still Valid
The transfer of EU individuals’ personal data outside the EU is permissible if the requirements of GDPR (General Data Protection Regulations) Chapter V are satisfied. Mechanisms permissible for data transfer include adequacy decisions of the European Commission, such as Privacy Shield, or appropriate safeguards, such as Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCRs).
In the same ruling, the court maintained that the SCC remains valid, subject to the requirement that companies verify whether the conditions of transfer, including the destination country, offer appropriate safeguards to individuals’ personal data in accordance with the GDPR.
The case was brought to the court by Max Schrems, and the ruling is known as the “Schrems II” decision. He contended that Facebook Ireland, the central address for Facebook in Europe, used the Privacy Shield to transfer private data of EU citizens to Facebook, Inc. in the US. Schrems claimed that the data transfer mechanism could not provide a valid legal basis for transfers to the US, in part because Facebook, Inc. is obliged to make the personal data of its users available to U.S government authorities in the context of their surveillance programs.
Former United States intelligence official Edward Snowden revealed in his 2013 breach of classified NSA documents that the NSA was able to access data from major US tech companies such as Facebook, Google, Apple, and Microsoft.