On Thursday, July 16, the Court of Justice of the European Union declared the Commission's implementing decision (EU) 2016/1250 of July 12, 2016 invalid (CJEU, aff. C-311/18 of July 16, 2020). This decision had created the "Privacy Shield", a specific legal framework that allowed for a particularly flexible transfer of data between companies located on the territories of the European Union and the United States.
The concept of "data transfer" covers a wide range of operations, whether it is a transmission by sending in the form of a stream or the opening of an access in information systems for the purpose of consulting the data for example.
The "Privacy Shield" allowed companies located in the European Union to transfer data to American companies, provided that the latter had committed themselves to the US Department of Commerce to respect a certain number of rules. Groups of companies are also concerned when entities exchange data without having recourse to a particular framework.
Compliance with these rules meant that these member companies could be considered to offer a level of personal data protection equivalent to that which existed in Europe. Some 5,000 American companies, including the largest in the new technology sector, were members of the Privacy Shield.
As a reminder, the adoption of this scheme followed the annulment, in 2015, of the scheme previously in place called "Safe Harbor", already initiated by the Max Schrems collective (CJEU, aff. C-362/14 of 6 October 2015 "Schrems").
This new cancellation will initially force companies subject to the application of the RGPD to proceed with an inventory of the various contracts that imply, in particular during the provision of a service, the use of a U.S. company (for example, for hosting services, remote services, e-commerce platforms).
This inventory should identify all contracts that require or involve the transfer of personal data to these U.S. partners, in order to frame the data transfer using one of the other legal tools available.
Indeed, the invalidation of this provision does not mean that all data exchanges to the United States are called into question: the GDPR provides for other tools to control transfers, such as the use of specific contractual clauses (for example, standard contractual clauses or binding corporate rules for groups of companies).
SCAN Avocats is at your disposal to assist you in this transition to new management methods.