The myriad of data privacy laws across Europe can make it challenging for companies engaged in cross-border business. Between the GDPR, the landmark Schrems II decision, local data privacy laws and Brexit complications, many global companies are opting for a conservative approach to collecting and transferring data online across borders. Here are a few high-level takeaways of data privacy laws in Europe and current enforcement trends.
- The landmark decision in Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems (Schrems II) invalidated the EU–US Privacy Shield. Transfers using the EU-US Privacy Shield are now unlawful from the EU perspective and could trigger fines and claims for damages. The Swiss-US Privacy Shield is likely to be terminated by the Swiss Commissioner shortly. For companies looking to change their data transfer policies to comply with Schrems II, they could examine transfers based on Standard Contractual Clauses—which remain valid, but parties may need to conduct risk assessments to evaluate whether the importer can comply with the provisions, or consider implementing binding corporate rules (which take several years to be approved) or review Article 49 derogations, which are subject to the innate limitations of such mechanism.
- Under Brexit, the United Kingdom will be a “third country” with restrictions on data exports from the European Economic Area (EEA) as soon as the transitional period ends on 31 December 2020. If the United Kingdom does not receive an adequacy decision (which would deem it safe from a data transfer perspective) before that transitional period is finished, UK companies will need to rely on a permitted safeguard to ensure any transfer of personal data to companies outside the United Kingdom is lawful. Transfers of data from the United Kingdom to the EEA, however, will be permitted without the need for any safeguards. The Information Commissioner's Office (ICO) has approved the most popular safeguard, the current EU Standard Contractual Clauses (SCCs), for data transfers from the United Kingdom to countries outside the EEA, but they are likely to be replaced in the future with UK versions; the European Commission will also release replacements to the current SCCs for GDPR purposes (these are long-awaited).
- Cookies have taken center stage on most websites, and it is no exception in Europe, where companies need to obtain active consent to nonessential cookies for European users (unless the site is not intended for a European audience). The GDPR has expanded what is considered to be personal data, including even many IP addresses, which most cookies do collect. In that same vein, tracking technologies are a point of concern for EU authorities, especially as they are utilized for coronavirus (COVID-19) contact tracing.
- So what should you do as a data exporter? Take inventory of all your data transfers. Contact your service provider in the third country and inform them of the Schrems II decision. Obtain information on the legal situation in the third country and check whether there is an adequacy decision for the third country, whether you use the Standard Contractual Clauses for your transfer, and whether there are any supplementary measures that can be adopted.
- So what should you do as a data importer? Check your international data transfer agreements and be cooperative in conducting risk assessments. Follow the developments set forth by the Schrems II decision and be prepared for new laws as this area continues to develop.
If you're interested in Data Privacy and Protection Boot Camp, we invite you to subscribe to Morgan Lewis publications to receive updates on trends, legal developments, and other relevant areas that may be of interest to you.