Invalidation of the Privacy Shield: the digital sector worries about the immediate impact and calls for transitional measures, with a view to a stabilized protective framework

The sector’s trade associations are therefore deeply concerned about the immediate impact of the CJEU ruling on economic exchanges, not only for large companies but also for small and medium-sized enterprises, both European and international, as well as for social and scientific exchanges.

As a reminder, with regard to transfers from the European Union to the United States, the Court of Justice of the European Union (CJEU) ruled on July 16, 2020:

• invalidated the “Privacy Shield” self-certification mechanism, which had previously been recognized by the European Commission as offering an adequate level of protection
• clarified that the Standard Contractual Clauses approved by the European Commission and listed by the RGPD as a valid mechanism for transferring data outside the EU remain valid, but that it proves necessary to add additional guarantees to ensure an adequate level of protection for data transferred to countries that do not provide substantially equivalent protection to that guaranteed within the European Union.

In other words, the CJEU now requires exporting companies themselves to assess the adequacy level of a third country that does not benefit from a valid adequacy decision, taking into account the laws of the country where the importer is located, and in particular the practices allowing access to said data by the public authorities of the country in question.

This unanticipated challenge to existing mechanisms has a direct impact on a large number of companies of all sectors and sizes, as well as public administrations, which export their data outside the European Union. These mechanisms ensure that data of European origin is accessible outside our borders, and thus guarantee its free circulation within and outside the EU, in order to promote the European economy and innovation. A number of companies in all sectors of activity are already the subject of complaints (more than a hundred have been lodged), reflecting a situation that is already current. This situation is all the more worrying as companies try to recover from the economic repercussions of the COVID-19 pandemic.

In order to ensure the continuity of international transfers within a secure legal framework that respects the values of the European Union, and to enable companies to continue their economic activity, Asic, Syntec Numérique and TECH IN France are warning that:

• European and national authorities are doing their utmost to propose transitional measures for immediate application, which will provide companies with security while they await a stabilized protective framework.
• the data protection authorities, brought together within the European Data Protection Committee (EDPS), and the European Commission are discussing with companies and the public sector as soon as possible their analysis and recommendations on the nature and implementation of additional guarantees that may accompany the use of Standard Contractual Clauses, as well as on derogations. It is essential that the recommendations of data protection authorities are precise, operational and adapted to the level of risk presented by different transfers, depending on factors such as the type of data, the purpose of the transfer or the role of the company. Recommendations must also respect international trade treaties, so that they can be implemented quickly and effectively by all parties concerned. It is also essential that national controls and investigations carried out by different authorities are consistent, and do not lead to a fragmentation of interpretations and recommendations within the EU;
• the European Commission to update the Standard Contractual Clauses as soon as possible, taking into account the CJEU ruling, in order to guarantee the legal stability of this transfer mechanism to third countries;
• the European Commission and the data protection authorities decide on the risks or, where appropriate, the level of adequacy of third countries, in order to facilitate compliance by responsible parties wishing to continue transfers to third countries deemed unsuitable, and thus guarantee a harmonized and consistent approach for all European organizations.