The European Union ("EU") imposes strict requirements on entities that collect personal data from individuals residing in the European Economic Area ("EEA") and then transfer that data to a non-EEA country. The General Data Protection Regulation ("GDPR") only permits cross-border transfers to countries or territories with a legal regime that provides an "adequate" level of personal data protection, as determined by the European Commission ("EC").
The United States is not deemed as having "adequate" laws and practices in place for the protection of personal data and thus, companies that transfer personal data from the EEA to the United States must rely on alternative options. One such mechanism is the EU-U.S. Privacy Shield (the "Privacy Shield"). Currently over 4,000 US companies rely on Privacy Shield as a mechanism for cross border transfer of personal data.
However, the future of the Privacy Shield as it currently exists is uncertain, as, on July 5, 2018 the European Parliament plenary adopted a resolution calling for the suspension of the Privacy Shield if the United States does not show compliance with the Privacy Shield framework by September 1, 2018. The European Commission will undertake an annual review of the Privacy Shield in October 2018. If, at such time, the EC rescinds the Privacy Shield as an adequate data protection mechanism, U.S. companies will be left with very few options under which to conduct cross-border transfers of data originating in the EEA, two of which are: "Binding Corporate Rules" ("BCRs") and "Model Clauses" (also called "standard contractual clauses").
Among other grievances, the European Parliament has alleged that the U.S. does not adequately enforce the protections that the Privacy Shield requires of U.S. companies. The resolution says that there is insufficient oversight of the certification process and, in general, a lack of supervision. Delays in investigation of companies that may have misused personal data or otherwise breached the Privacy Shield regulations are a massive concern. According to the European Parliament website, several members of the European Parliament ("MEPs") called for a re-evaluation of the Privacy Shield after issues surfaced publicly in early 2018 showing that prominent Privacy Shield-certified companies were not, in fact, compliant. In particular, MEPs criticized the U.S. for failing to take swift action following revelations of misuse. And MEPs called for companies who have revealed violations of the regulation to be removed from the Privacy Shield list altogether.
The European Commission publicly noted the Parliament's resolution and has so far adopted a position whereby it is committed to a fully functioning Privacy Shield, in cooperation with the United States and is working actively with U.S. officials in that direction. Only the European Commission can suspend Privacy Shield but Privacy Shield's predecessor, Safe Harbor, was defeated by the European Court of Justice, not the EC. The pressure is now on.
# # #About Baker Botts L.L.P.
Baker Botts is an international law firm of approximately 725 lawyers practicing throughout a network of 14 offices around the globe. Based on our experience and knowledge of our clients’ industries, we are recognized as a leading firm in the energy and technology sectors. Throughout our 178-year history, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit BakerBotts.com.