On July 16, the Court of Justice for the European Union reached a decision in the so-called Schrems II case, which has far-reaching implications for any consumer software businesses that operate in both the EU in the United States. In simplest terms, your client contracts are very likely no longer valid.
The Schrems II case (Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems) dealt with the fundamental problem of the EU offering far more specific and expansive software privacy protections than those available under U.S. law, but many businesses -- such as Facebook -- operate in both the EU and the U.S. and have data that "crosses the pond" between the jurisdictions.
What happens when the software doesn't change, but the governing law of the vendor, the consumer, and/or the data shared between the two changes? For example, if a U.S. citizen travels to Europe and uses Facebook over EU wireless carriers and transfers data through EU-based proxy servers, they are entitled to EU-level privacy protections, even though they enrolled in Facebook under U.S. governing law, privacy standards and end-user agreements. How does the law square that circle?
Before the Schrems II finding, the answer was the Privacy Shield Framework, a negotiated legal standard that adjudicated how these situations would be handled. To invoke the Privacy Shield Framework, vendors could employ EU-provided Standard Contact Clauses (SCCs) which effectively immunized the vendor from liability when data crossed jurisdictions.
The Schrems II case struck down the Privacy Shield Framework and found, essentially, that businesses that operate in any capacity in the EU must conform to EU privacy standards. The EU Standard Contract Clauses that previously limited vendor liability are no longer valid when transferring data outside the EU, including into the United states.
In many respects, the General Data Protection Regulation (GDPR) of the EU is now effective for any U.S. company that also operates in the EU -- even if that company is incorporated under U.S. governing law.
These findings will no doubt be appealed and, at some point, a successor to the Privacy Shield Framework will be negotiated. But, in the interim, any business that collects personal data from consumers -- which is to say, any business that operates a website or mobile app -- can no longer rely on their old EU Standard Contract Clauses to protect them when moving data out of the EU. They need to find any end-user licenses, privacy policies and/or service-level agreements that include those SCCs and amend them as soon as possible.
If you need help tracking down every instance of EU SCCs in your contract portfolio, LinkSquares offers the best automated contract analysis available today. Using cutting-edge artificial intelligence, LinkSquares can track down the specific contract language found in the SCCs and help you identify your post-Schrems II risks.
If you're ready to deal with the Schrems II fallout in the most efficient and reliable way possible, contact LinkSquares today.