Are you wondering what your company needs to do now that the Privacy Shield is gone? You’ve come to the right place.
It's a confusing time. The US Department of Commerce announced on July 16, the day the Privacy Shield was invalidated, that it will continue to enforce the treaty, so many experts are advising companies not to withdraw. If they do withdraw, they will have to fill out a form, pay a withdrawal fee and suffer the consequences of being listed as inactive on the Privacy Shield list. That withdrawal paperwork is also sent to the Federal Trade Commission for scrutiny, so there is an additional risk that companies will come under the radar when they weren’t before.
I moderated a panel discussion on July 21 hosted by NYU Data Future Labs and Orrick on the Schrems II decision that invalidated the Privacy Shield treaty. We talked a lot about the guidance lawyers are considering giving their clients going forward. After that session, I sat down and wrote a list of questions that my colleagues should be asking their clients to prepare for the fallout. I’ve included the questionnaire below.
I recommend that lawyers who advise their clients on issues related to privacy circulate the relevant questions in this questionnaire to the sales and IT departments at their companies. There are several questions related to legal matters, such as Privacy Shield certification and government subpoenas, that the lawyer should be able to determine. A completed questionnaire should equip any business with the information it needs to respond to client concerns about the company’s data protection activities in light of Schrems II. The answers also empower lawyers with the necessary information to advise their clients how to effectively respond to the ruling.
Before we get to the list, here is background information about the ruling. (For a timeline, click here.) It all began when Max Schrems, an Austrian who was studying law in California, began to wonder if Facebook had transferred personal data about him from Europe to the United States. After requesting answers, he learned that it had, and in 2013 he sued Facebook in Ireland, its EU headquarters, arguing that the transfer had violated his rights as an EU citizen. In 2015, he won his case before the Court of Justice of the European Union (CJEU), and the Safe Harbor treaty between the U.S. and the EU was invalidated (though standard contractual clauses remained valid). In 2018 and 2019, Schrems sued Facebook and other tech companies under the General Data Protection Regulation, and in July 2020 the CJEU ruled in his favor once again, invalidating the Privacy Shield between the U.S. and the EU. As a result, if a business relied on the Privacy Shield to authorize any personal data transfers from the EU to the U.S., then that business is affected and EU customers could call for the termination of their contracts.
Such a draconian action by EU customers is not likely to happen quickly, because it would be a large disruption to current business practices. Many lawyers have been advising a “wait and see” approach. This is because the U.S. and the EU are already back in discussions about another treaty, just as they were after the Schrems I decision. However, some data protection authorities, such as the German DPA, are recommending that German companies should not do business with the U.S. It is for this reason that I prepared the questionnaire.
Your clients will likely receive a wide range of inquiries from their European customers. Rather than advise “wait and see,” work with your clients’ sales and IT departments to answer these questions. Recording their answers will enable lawyers to take on a leadership role. The questionnaire provides you with an opportunity to prove that being prepared can save relationships, continue to build trust and avoid losing even more revenue during this very challenging year.
Caroline McCaffery is the CEO & Co-Founder of ClearOPS, Inc., a B2B SaaS data privacy and cybersecurity company launched in October 2017. Working alongside lawyers and law firms, ClearOPS technology makes it easy to respond to, and keep track of, security questionnaires. McCaffery received her B.A. in International Relations from the University of Pennsylvania and J.D. from New York University School of Law. She is a member of the bar in both New York and California and is a Certified Privacy Professional (CIPP/US).