From the time that the European Union General Data Protection Regulation began to be enforced in May of 2018, there has been an issue with the transfer of personally identifiable information of residents of the European Economic Area (EEA) to the United States.
The underlying cause of the issue is the view under EU law that the United States does not provide an adequate legal framework for the protection of PII combined with the view that EU law, in this regard, is applicable globally. The United States currently has no such law governing the transfer of PII of US residents to other countries.
Until now, there have been two ways to render the transfer of PII of EU residents to the US legal under GDPR.
- The first is to have specific contractual agreements between the US company transferring the PII of EU residents to the US and the data controller. The wording of these contractual agreements is tightly controlled by the EU. Depending on the transfers in question, there can be quite a number of such agreements for companies taking this approach.
- The second has been via treaty between the US federal government and the EU. The first such treaty was the Safe Harbor agreement of 2000. Safe Harbor was replaced by Privacy Shield in 2016. In both cases companies in the US wishing to transfer PII from the EU could register and self-certify compliance with stipulated requirements with the US Department of Commerce. The benefit of these treaties was that they covered all transfers of PII from the EU by the enrolled US entity.The EU courts invalidated Safe Harbor in 2015. As of July 2020 they have now invalidated Privacy Shield. In both cases the EU courts found that the treaties did not provide adequate protection of PII under GDPR.
This creates a difficult compliance problem for companies enrolled in Privacy Shield. We would expect further intergovernmental negotiation and some follow on guidance. The timing of this guidance is currently unknown. For the present, the Department of Commerce will continue to enforce Privacy Shield requirements on enrolled organizations. To learn more click here.
Let us know if BostonCOMPLY can help you untangle this mess so that your organization can continue to meet your GDPR requirements and those imposed by your European partners, customers and vendors.