Yvette Gabrielian (firstname.lastname@example.org) is a senior vice president in the cyber risk practice of Kroll. She is an attorney specialized in cybersecurity and data privacy with more than 14 years of experience in compliance and corporate governance. Alan Brill (email@example.com) is a senior managing director in the cyber risk practice of Kroll and a fellow of the Duff and Phelps Institute. He is also an adjunct professor at the Texas A&M University School of Law.
In a decision known as Schrems II, the Court of Justice of the European Union (CJEU) recently ruled that the EU-US Privacy Shield framework, “designed by the U.S. Department of Commerce and European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union (EU) to the United States in support of transatlantic commerce” and used by more than 5,000 US companies, was invalid. The case concerns Max Schrems, an Austrian privacy advocate, who filed a complaint with the Irish Data Protection Commissioner against Facebook Ireland. The complaint alleged that the standard contractual clauses (SCCs), which Facebook Ireland relies on as the legal basis for transferring personal data outside of the EU for processing, do not ensure an adequate level of protection for EU data subjects because US legislation does not provide the same level of protection of the personal data as EU data protection laws. One of the CJEU’s concerns was that the US law enforcement agencies have mechanisms for compelling the sharing of information that the CJEU felt were not adequate under the Privacy Shield to provide EU residents with protections equivalent to those afforded under the European Union General Data Protection Regulation (GDPR). The court did not provide for a transition period, so its ruling became effective immediately. If your organization relied on Privacy Shield, you should know that it isn’t a valid basis for data transfers—effective now!