The summer has seen a number of legal developments relating to the RGPD, which have had a major impact on all current contracts with American companies, creating legal uncertainty for businesses.
The Court of Justice of the European Union has invalidated the so-called "Privacy Shield" agreement between the European Commission and the US Chamber of Commerce to legalise transfers of personal data to the United States (judgment of 16 July 2020, C-311/18).
Up until now, American companies that have signed up to the Privacy Shield have been considered as recipients with a level of protection equivalent to the RGPD. Now that the agreement has been called into question, data controllers will have to sign data transfer agreements with their American service providers, and simply signing the European Commission's standard contractual clauses will no longer suffice.
The Court of Justice has added a new obligation to the signing of these clauses: data controllers must now carry out a case-by-case assessment of each transfer on the basis of two cumulative criteria:
- the content of the contractual clauses governing the transfer, which must provide for :
- effective mechanisms to ensure that the level of protection required by EU law is respected;
- failing that, mechanisms for suspending the said transfers;
- the applicable law of the country of destination.
At the same time, the company receiving the transfer must inform the European data controller of any inability to comply with these clauses.
Consequences :
You are obliged to ensure that your transfers of personal data to the United States comply with this decision, whether these transfers are to a subsidiary, their parent company or a service provider.
As a first step, we recommend that you :
- remove all references to the Privacy Shield from the Privacy Policy and all other information;
- identify transfers to the United States ;
- sign compliant transfer contracts with its suppliers;
- create a process for carrying out a case-by-case assessment of each transfer, taking into account the specific circumstances and the measures put in place between the parties to ensure its validity;
- if the analysis is negative, suspend the transfer in question or even terminate the contract with the American service provider.
As the Court of Justice ruling has a general scope, it will be necessary, as a second step, to identify all transfers of data to a recipient outside the EU and verify the validity of each of them under the same conditions.