A Fragile Shield? Managing the Risks of EU-U.S. Data Transfer
Still, despite the additional burdens imposed upon self-certifying businesses, the Privacy Shield is likely to face legal challenge from privacy advocates in the EU who consider the Shield inadequate protection for personal data in response to the European Court of Justice (“ECJ”) decision in October 2015 invalidating the Safe Harbor. In the meantime, the EU Standard Contractual Clauses (the “Model Clauses”), another mechanism by which personal data can be lawfully transferred outside the EU, are the subject of a complaint being reviewed by the ECJ. With that backdrop, should companies with Model Clauses already in place self-certify under the Privacy Shield? Should the Privacy Shield replace or instead buttress the use of Model Clauses? There are also steps EU organizations can take to protect themselves against a successful challenge, either to the Model Clauses or to the Privacy Shield. Finally, for businesses operating in the UK, the Brexit vote creates uncertainty about whether the Privacy Shield mechanism will be available to them depending upon when and how UK withdrawal from the EU occurs. Certain actions will likely need to be taken by the UK to benefit from the Privacy Shield on an ongoing basis following withdrawal from the EU.
Our Womble Carlyle Privacy and Data Protection Team experts have been discussing these issues with our counterparts in our U.K. strategic partner firm Bond Dickinson and highlight areas where specific, targeted advice and collaborative thinking will benefit our clients.
For the full version of this client alert please click here.