A Questionnaire to Prepare for the End of the Privacy Shield

Are you wondering what your company needs to do now that the Privacy Shield is gone? You’ve come to the right place.

It's a confusing time. The US Department of Commerce announced on July 16, the day the Privacy Shield was invalidated, that it will continue to enforce the treaty, so many experts are advising companies not to withdraw. If they do withdraw, they will have to fill out a form, pay a withdrawal fee and suffer the consequences of being listed as inactive on the Privacy Shield list. That withdrawal paperwork is also sent to the Federal Trade Commission for scrutiny, so there is an additional risk that companies will come under the radar when they weren’t before.

I moderated a panel discussion on July 21 hosted by NYU Data Future Labs and Orrick on the Schrems II decision that invalidated the Privacy Shield treaty. We talked a lot about the guidance lawyers are considering giving their clients going forward. After that session, I sat down and wrote a list of questions that my colleagues should be asking their clients to prepare for the fallout. I’ve included the questionnaire below.

I recommend that lawyers who advise their clients on issues related to privacy circulate the relevant questions in this questionnaire to the sales and IT departments at their companies. There are several questions related to legal matters, such as Privacy Shield certification and government subpoenas, that the lawyer should be able to determine. A completed questionnaire should equip any business with the information it needs to respond to client concerns about the company’s data protection activities in light of Schrems II. The answers also empower lawyers with the necessary information to advise their clients how to effectively respond to the ruling.

Before we get to the list, here is background information about the ruling. (For a timeline, click here.) It all began when Max Schrems, an Austrian who was studying law in California, began to wonder if Facebook had transferred personal data about him from Europe to the United States. After requesting answers, he learned that it had, and in 2013 he sued Facebook in Ireland, its EU headquarters, arguing that the transfer had violated his rights as an EU citizen. In 2015, he won his case before the Court of Justice of the European Union (CJEU), and the Safe Harbor treaty between the U.S. and the EU was invalidated (though standard contractual clauses remained valid). In 2018 and 2019, Schrems sued Facebook and other tech companies under the General Data Protection Regulation, and in July 2020 the CJEU ruled in his favor once again, invalidating the Privacy Shield between the U.S. and the EU. As a result, if a business relied on the Privacy Shield to authorize any personal data transfers from the EU to the U.S., then that business is affected and EU customers could call for the termination of their contracts.

Such a draconian action by EU customers is not likely to happen quickly, because it would be a large disruption to current business practices. Many lawyers have been advising a “wait and see” approach. This is because the U.S. and the EU are already back in discussions about another treaty, just as they were after the Schrems I decision. However, some data protection authorities, such as the German DPA, are recommending that German companies should not do business with the U.S. It is for this reason that I prepared the questionnaire.

Your clients will likely receive a wide range of inquiries from their European customers. Rather than advise “wait and see,” work with your clients’ sales and IT departments to answer these questions. Recording their answers will enable lawyers to take on a leadership role. The questionnaire provides you with an opportunity to prove that being prepared can save relationships, continue to build trust and avoid losing even more revenue during this very challenging year.

Questionnaire

1. Do you have EU customers? How many?
2. Are you in negotiations or sales conversations with any EU customers? How many?
3. What is your current revenue from EU sales?
4. What is your projected revenue from EU sales?
5. Is your business listed on the Privacy Shield list as active?
6. Did you review your privacy policy for language that data transfers are covered by the Privacy Shield?
7. Do you have a dedicated, chosen Data Protection Authority in Europe?
8. If you have a DPA, who is it and have they issued any guidance?
9. If you don’t have a DPA, do you have any offices in Europe?
10. Look at your contracts with EU customers. Do you have standard contractual clauses (SCCs) or data protection addendums with them? Please list.
11. Have you ever received a U.S. government subpoena (under the Mutual Legal Assistance Treaty)? If so, how many and when?
12. What type of personal data do you collect on EU citizens?
13. If you have never received a U.S. government request for access to personal data that you process, would you consider the type of data you process of interest to the government if one of the data subjects were a criminal? A state actor? A political influencer?
14. Do you provide services to the U.S. government (federal, state, local)?
15. Do you have privacy counsel?
16. Do you have D&O insurance?
17. Do you have network intrusion detection?
18. Is personal data encrypted when in transit and at rest?
19. Do you anonymize personal data?
20. Have you ever suffered a security incident where a foreign government tried to access your data center?
21. Do you rely on AWS or another data center controlled by a third party? If requested, could they access the data in your servers/ buckets for purposes of complying with a government inquiry?
22. Please reference the security information of your data center, if available online.

Caroline McCaffery is the CEO & Co-Founder of ClearOPS, Inc., a B2B SaaS data privacy and cybersecurity company launched in October 2017. Working alongside lawyers and law firms, ClearOPS technology makes it easy to respond to, and keep track of, security questionnaires. McCaffery received her B.A. in International Relations from the University of Pennsylvania and J.D. from New York University School of Law. She is a member of the bar in both New York and California and is a Certified Privacy Professional (CIPP/US).