The threat to the Privacy Shield and Standard Contractual Clauses has been known about for a while now. July brings both of these concepts to the doors of the Court of Justice of the European Union ("CJEU"). What comes out of these cases could invalidate both of these mechanisms for transferring personal data outside of the EU. Paul Maynard from Hogan Lovells sets out the background to these cases as well as what that may mean for businesses.
This could have wide-ranging implications for all sorts of companies and the processes they follow. This includes how companies deal with data during legal or regulatory matters which have a nexus to the U.S. And depending on the judgements, thought will need to be given to how it impacts current working processes.
There are obviously many technical measures that can be used to help address some of the concerns, but at the end of the day to comply with U.S. legal and regulatory requirements, data will need to be transferred there.
I believe this will lead to an increased focus on performing more of the work within the EU as well as considering how to protect personal data that has to be transferred. Techniques such as anonymisation and pseudo-anonymisation could help, but whether that will be acceptable by U.S. authorities, is yet to be determined.
Obviously until the judgements come out, there is no pressing need to act, but given the duration of these matters and the likely timetable for the judgements (late 2019/early 2020), it is something that people need to start considering sooner rather than later.
July is set to be a busy month in Luxembourg. On the first and second of the month, the General Court of the European Union (which is part of the Court of Justice of the European Union (CJEU)) will hear a case against the EU-U.S. Privacy Shield brought by three French NGOs, La Quadrature du Net, French Data Network and Fédération FDN. A week later, on 9 July, the CJEU will hear arguments in Schrems II, in which the Irish High Court has referred 11 questions relating to whether the European Commission’s Standard Contractual Clauses (SCCs) provide an adequate level of protection for personal data which is transferred to the US.