[Invalidation of the Privacy Shield] Companies urgently need to define a clear legal framework
The “Privacy Shield” adequacy decision adopted by the European Commission in 2016, certified that the US had adequate data protection standards (i.e. essentially equivalent to the level of protection guaranteed under the RGPD), for the storage and processing of personal data from the EU. Any transfer of data between the EU and US operators was therefore based on this adequacy decision and carried out without further formality.
In its “Shrems II” decision, the CJEU found that the guaranteed level of protection was no longer sufficient, thus reiterating the need for high standards of data protection for citizens and economic players. In so doing, the CJEU’s decision implies a re-examination of data regimes vis-à-vis third countries. It also clarified that the Standard Contractual Clauses (SCCs), approved by the European Commission and listed by the RGPD as a valid mechanism for transferring data outside the EU, remain valid, but that it proves necessary to add additional guarantees to ensure an adequate level of protection for data transferred to countries that do not provide protection essentially equivalent to that guaranteed within the European Union. The CJEU thus now requires exporting companies to assess the adequacy level of third countries that do not benefit from a valid adequacy decision, taking into account the laws of the country where the importer is located, and de facto forces them to interpret the existing standards themselves on a case-by-case basis.
This invalidation of the “Privacy Shield” has given rise to serious concerns on the part of various economic sectors, particularly the digital sector, as to the immediate impact of the CJEU’s decision on economic but also social and scientific exchanges. It seems essential to emphasize the cross-sectoral and general nature of the effect of the invalidation of the “Privacy Shield” for the economy, which directly concerns a large number of companies, all sectors and sizes, European or international, as well as public administrations, which may have to transfer their data outside the European Union. In addition to the considerable extra work involved in the absence of a predefined framework, this lack of visibility and of a stabilized protective legal framework represents a real brake on economic activity, all the more worrying as it is added to the current trying context for companies, which are trying to recover from the economic repercussions of the first wave of the COVID-19 pandemic, and are now faced with the second.
It is therefore essential to facilitate the continuation of business activity and European innovation based on the free circulation of data of European origin, which must involve the urgent definition of a secure legal framework for international transfers that respects the values of the European Union.
TECH IN France, aware of the scope of this decision and its major impact on the European economy and innovation, wanted to support its members in adapting their activities and data transfer practices. A legal webinar was organized to identify and measure the consequences for data transfers to the United States, during which Maître Mariez from Momentum analyzed the CJEU decision, answered companies’ questions and shared expert recommendations.
TECH IN France’s active mobilization on the subject of the legal uncertainty created by the “Shrems II” decision, and the need not to allow the private sector to remain in a state of uncertainty any longer, was also reflected in the public positions taken by the sector’s other professional organizations. These were aimed at alerting national and European authorities to companies’ fears, and called for the urgent definition of a stabilized protective legal framework for data transfers to the USA. For several months now, TECH IN France, as a professional organization, has been encouraging the national and European authorities to put in place the transitional measures they have been waiting for. Analyses and recommendations on the nature and implementation of additional guarantees that may accompany the use of CCTs, as well as on derogations, which are still being drawn up, must be defined and published as a matter of urgency. Just as it is essential that recommendations from data protection authorities be precise, operational and adapted to the level of risk presented by different transfers, depending on factors such as the type of data, the purpose of the transfer or the role of the company.
Almost 4 months after the CJEU ruling, the European institutions are starting to get organized, particularly with regard to transfers of personal data outside the EU by European public institutions and bodies, or are submitting their recommendations or updated standard contractual clauses for consultation; consultations to which TECH IN France is currently working to respond.