The End of Privacy Shield: What it Means for Agreements

Data privacy regulation has taken yet another sharp turn. The July 16, 2020 Schrems II decision has invalidated the EU-US Data Privacy Shield, the data transfer framework relied upon by over 5,000 European and US companies to conduct over $7 trillion in commercial transactions. This decision took immediate effect with no grace period—and also hinted at greater scrutiny for alternate data transfer mechanisms like standard contractual clauses (SCCs) and binding corporate rules (BCRs)—leaving many companies uncertain over how to conduct business involving transatlantic data transfers. 

The introduction of Privacy Shield

Taking effect in April 2016, the General Data Protection Regulation (GDPR) imposed restrictions on the transfer of personal data outside of the European Union. Leading up to the May 2018 deadline for GDPR compliance, companies in the EU, United States and elsewhere undertook an unprecedented effort to review and conform their supplier, customer, and other third party agreements to comply with requirements under GDPR. 

One of the most common mechanisms for addressing data transfers under GDPR was reliance upon what is known as the EU-US Data Privacy Shield, which emerged in response to the 2015 rejection of the then-utilized Safe Harbor framework. Privacy Shield was deemed adequate to enable EU-US data transfers under EU law by the European Commission in July 2016. Privacy Shield is a form of self-certification, a voluntary set of standards implemented by global organizations to transfer data out of the EU under assurances that relevant activities performed pursuant to the Privacy Shield framework would be in compliance with GDPR. 

The impact of the decision

The July 16, 2020 decision by the Court of Justice of the European Union in what is known as the Schrems II case invalidated the EU-US Privacy Shield. (For clarity, the decision did not affect the Swiss-US Privacy Shield framework, introduced in 2017.) The decision hinged on the court’s finding that the EU-US framework failed to ensure the protections mandated by the GDPR as it did not provide adequate safeguards to prevent EU data from being provided to US law enforcement or government agencies. As mentioned, there is no grace period and the ruling is effective immediately, which will naturally prompt companies to look to implement and rely on alternate data transfer mechanisms like SCCs and BCRs. 

While the Schrems II decision indicated that the SCCs issued by the European Commission for the transfer of personal data outside of the EU remain valid, it also articulated the need for companies relying on SCCs to assess whether they can maintain an “adequate level of protection” for the personal data given the circumstances of the transfers and the laws of the importing countries. Based on the foregoing assessment, companies may need to impose “supplemental measures” for such transfers, yet without clear guidance of what such measures should reasonably be. 

The path forward for agreements 

While there is still plenty of legal wrangling to be done, for many businesses, Schrems II  requires a re-evaluation and revision of agreement terms related to data transfer across large numbers of agreements. Note that these are, in many cases, the same tens of millions of agreements that were amended for data privacy purposes as recently as 2018.

As companies review their agreements, they can look beyond mere express references to certain data transfer mechanisms in the plain language of the agreements. Rather, they can analyze the agreements to identify the range of data privacy and security obligations addressed in the terms. This sort of comprehensive agreement analysis enables companies to fully assess their rights and responsibilities, and better understand corresponding privacy compliance risk. It can also help them determine whether to augment their BCR- or SCC-based data transfer strategy with supplemental measures—which may include data encryption or other security commitments, breach notification, and termination rights.

How can the DocuSign Agreement Cloud help?

The DocuSign Agreement Cloud delivers value to the three critical elements of any review and revision of data privacy clauses in agreements:

1. DocuSign Insight provides powerful AI to efficiently analyze all agreements across an organization to determine whether and how data privacy is addressed — including reliance on Privacy Shield or an alternate data privacy framework.
2. DocuSign CLM enables businesses to quickly and easily generate amendments and replacement terms for agreements reflecting their updated approach to privacy in the post-Privacy Shield world.
3. DocuSign eSignature, the world’s most trusted brand for electronic signature, delivers a seamless experience for all parties to any business agreement, to ensure auditable and enforceable agreement to revised terms reflecting data privacy strategies. 

The digital world continues to evolve at an unprecedented pace — and the DocuSign Agreement Cloud is here to help.

By Stuart Brock, Esq.*, Sr. Agreement Cloud Strategy Practice Director, DocuSign

*This blog is offered for general information purposes. It is not intended as, nor is it a substitute for, legal advice.