In invalidating the Privacy Shield program, it immediately jeopardizes the portion of the $7.1 trillion in commerce between the European Union and United States that is in part underpinned by the Privacy Shield program.
But it does not have to be seismic for your company.
Standard contractual clauses are still valid under the decision.
If your company relies on Privacy Shield to transfer data from the European Union and United States, you should, immediately identify the programs at issue and update your data protection addenda to add standard contractual clauses. The European Court of Justice placed a greater onus on data exporters in the European Union to assess the adequacy of privacy protections for the data importer [e.g., U.S. company]. Therefore U.S. companies should anticipate a greater degree of questions from customers and E.U. employees regarding the adequacy of the controls. In addition, we suggest the following additional steps for in-house teams:
- First Step: Leverage your Article 30 inventory to identify data flows impacted by the decision
- Second Step: Collaborate with your procurement and IT teams to assess impact
- Third Step: Discuss with your senior leadership to align on risk tolerance
- Fourth Step: Document the basis for the decision
- Fifth Step: Develop your long term action plan (e.g., regionalized data centers, development of a cross-functional team)
Please see our July 20 update for full analysis of the decision.