The U.S. Department of Commerce has issued two new sets of FAQs in light of the Court of Justice of the European Union’s (“CJEU’s”) recent decision to invalidate the EU-U.S. Privacy Shield in Schrems II. We previously reported on the Schrems II ruling and its implication for businesses that transfer personal data to the U.S. The new FAQs from the Department of Commerce address the impact of the decision on the EU-U.S. Privacy Shield framework and the Swiss-U.S. Privacy Shield framework.
Below is a summary of the key points from the new FAQs on the EU-U.S. Privacy Shield (“Privacy Shield”):
- The new FAQs state that although (as a result of the Schrems II ruling) the Privacy Shield “is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States . . . this decision does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the EU-U.S. Privacy Shield Framework.”
- The FAQs further state that the Department of Commerce will continue to administer the Privacy Shield program, including processing applications for self-certification and recertification and maintaining the Privacy Shield list.
- The FAQs point to a July 21, 2020 statement from the U.S. Federal Trade Commission (“FTC”) noting that the FTC “continue[s] to expect companies to comply with their ongoing obligations with respect to transfers made under the Privacy Shield Framework.”
- In addition, the FAQs make clear that organizations that wish to remain on the Privacy Shield list continue to be required to annually recertify to the Privacy Shield framework, including by paying the annual processing fee. Organizations that wish to withdraw from the Privacy Shield (1) must undergo the existing formal withdrawal process and remove public-facing representations about Privacy Shield participation from their websites and other public documents, and (2) are subject to ongoing requirements related to data received under the Privacy Shield.
- The new FAQs also indicate that it is the view of the Department of Commerce that continued participation in the Privacy Shield “demonstrates a serious commitment to protect personal information in accordance with a set of privacy principles that offer meaningful privacy protections and recourse for EU individuals.”
Regarding the Swiss-U.S. Privacy Shield, the updated FAQs state that “[t]he Swiss-U.S. Privacy Shield Framework remains a valid mechanism to comply with Swiss data protection requirements when transferring personal data from Switzerland to the United States.” The Swiss-U.S. Privacy Shield FAQs also note that on July 16, 2020, the Federal Data Protection and Information Commissioner of Switzerland (“FDPIC”) issued a statement that the “FDPIC has taken note of the CJEU ruling. This ruling is not directly applicable to Switzerland. The FDPIC will examine the judgement in detail and comment on it in due course.”
In addition to the details listed above, the new FAQs from the Department of Commerce state that “[t]he United States remains committed to working with the EU to ensure continuity in transatlantic data flows and privacy protections. The U.S. Department of Commerce has been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hopes to be able to limit the negative consequences of the decision to the transatlantic data flows that are so vital to our respective citizens, companies, and governments.”
The European Data Protection Board (“EDPB”) also has published FAQs on the implications of the Schrems II case – read our blog post about the EDPB FAQs.