In July of 2020, the European Court of Justice passed the "Schrems II" ruling, which struck down the Privacy Shield standard that allowed online businesses to move data between the United States and EU countries without running afoul of EU privacy law. Without the Privacy Shield, any online business has to reconsider and update their legal agreements to ensure the way they handle user data conforms to the new court-ordered standard.
So how, exactly, do you adapt your contracts to comply with the Schrems II standard, and which contracts do you need to update?
Step 1: Identify Citations of the EU Privacy Shield
If the Privacy Shield is no longer valid, you need to review all your current agreements for any explicit citations or invocations of the Privacy Shield. This includes vendor agreements, as your own service providers may have relied on the Privacy Shield to govern their conduct with your data. If you pass your customer's data to a non-compliant vendor, you incur liability for their bad behavior.
Step 2: Adopt EU-Approved Standard Contractual Clauses
The European Union actually offers -- and Schrems II did not explicitly strike down -- Standard Contractual Clauses (SCCs) that govern acceptable methods for transferring EU citizens' online data outside of EU-resident servers and networks. These clauses cannot be altered; they must appear verbatim in your updated agreements to comply with European Union privacy law, and your business must conform to the standards these clauses prescribe.
Step 3: Prepare a Boilerplate Defense for Data Repatriation
The central reason the Privacy Shield framework was struck down was because the EU's General Data Protection Regulation (GDPR) offers far more privacy to online user data than is technically possible under US law. Simply put, since Edward Snowden revealed how much communications data that US intelligence agencies routinely collect from online sources, user data residing in US servers and networks isn't private enough to meet EU standards.
So, how can companies move data from the EU into the US if the United States is considered an "unsafe haven" for EU user data?
The "split baby" of the Schrems II decision is that the SCCs are still valid, so long as the data being transferred outside the EU is being transferred to a jurisdiction and system where it is "reasonable" to assume that the data will be kept as private and secure as in EU systems.
Thus, if the concern is that US intelligence agencies could conceivably spy on your users' data, you need to have an established line of reasoning as to why that is unlikely. For example: none of the data you store on behalf of your customers is relevant to the "war on terror," and thus would not be subject to GDPR-violating examination by US authorities.
This defense is, by admission, a risk, as it is subject to interpretation by EU regulators and courts. But, until a successor to the Privacy Shield is negotiated, this is the only legal option available (short of never transferring user data out of the EU again).
Step 4: Adopt Automated Contract Analysis
With the help of LinkSquares Analyze, you can determine precisely how many and which of your contracts need to be updated to deal with Schrems II. Beyond mere text search, LinkSquares can determine which version of a boilerplate clause is present, and whether it matches the precise SCCs and data repatriation addenda you need to keep your contracts compliant.
If you want to get in front of the Schrems II fallout as quickly and accurately as possible, contact LinkSquares today.