Changes to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks

One of our customers has asked us about changes to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. Specifically, they asked if we offer a data residency option. Has anybody else come up against this issue? Can anybody enlighten me as to the meaning of the changes, and what implications they might have for Marketplace partners?

Maybe not directly what you want to hear: You seem to be with an Australian service provider. As such, the Privacy Shield framework did not apply to you or your services anyway.

No, but they do apply to the services his company uses as data sub-processor (AWS, GCP, Heroku/Salesforce, etc) as any data transfer of EU residents from their own systems (for instance, by upload, creation, etc) to these sub-processors in the US was governed by the EU-US privacy shield.

Unfortunately, @david.pinn, the current status of the EU-US privacy shield is that It has been voided by the EU high court, and there is currently no replacement other than the standard contractual clauses (SCC), of which the court ruled that they have to be validated on a case by case basis by each of the EU member states data protection authorities (DPA). However, it is to be expected that if challenged, these will also be voided as the underlying reasoning of the court is not resolved by this patchwork and DPA’s will seek and weigh the high court opinion in their own rulings.

In short, the EU High Court has ruled that by definition, US law does not guarantee the privacy rights of EU citizens as granted to them in the European treaties. As such, no legal framework (like Safe Harbour or EU-US Privacy Shield) is going to be acceptable as US law will always trump any such treaty. At this point, the overall consensus is that it is required for either US or EU law to change, making this a very very high stakes blinking game.

With the COVID pandemic, Brexit and US elections, it is not expected that there will be movement on this anytime short. For now, the standard contractual clauses are still valid although they can be challenged in any EU member state as they need validation by each individual member state data protection authority. It’s basically a ticking time bomb. See also https://www.klgates.com/eu-data-protection-standard-contractual-clauses-may-have-been-confirmed-by-the-cjeu-but-at-what-price-07-17-2020

Although I’m not a lawyer, and I won’t take any (legal) responsibility for the outcome of my advise, but my $2 cents would be to tell your customer that you have entered into SCC with each of your data sub-processors (which you should) and that this is currently the only thing you can offer as you are waiting for the EU and US to come to an agreement.