July 22, 2020
To learn more about Lathrop GPM, click here ›
Franchisors Impacted by EU Limits on Personal Data Transfers to the U.S.
What Happened? On July 16, 2020, in Schrems II, the EU Court of Justice invalidated the EU-U.S. Privacy Shield mechanism. The EU Court of Justice struck down a similar program, the EU-U.S. Safe Harbor, in 2015. Over 5,000 companies, including many franchisors and franchisees, that self-certified for Privacy Shield with the U.S. Commerce Department may no longer rely on it for data transfers of EU personal data to the U.S.
So What? Franchisors may be in breach of vendor and other contracts to the extent they have agreed to fully comply with all relevant data privacy laws and they fail to be covered by an appropriate legal mechanism allowing for such cross border transfer of data. In addition, with Privacy Shield no longer available as a data transfer mechanism, there is potential risk of EU regulatory cease and desist orders to stop data transfer, and fines of up to 4% of a company’s worldwide annual turnover or gross revenues.
How Does Schrems II Affect Franchisors? All franchisors with operations or activities in Europe need to consider the impact of this EU Court of Justice decision. The main EU privacy law, the General Data Protection Regulation (GDPR), applies to any franchise (regardless of where it is based) that collects or processes personal data from EU residents. U.S.-based franchisors that receive customer data from their EU franchisees must review what data they collect and for what purposes to see what new actions may be necessary to comply with the GDPR. A franchisor operating a worldwide customer loyalty program should review how the Schrems decision impacts their program. Franchisors may also need to reconsider their handling of personal data for existing and prospective EU franchisees.
Why Did this Happen? The transfer of EU personal data is limited to countries with “adequate” data protection safeguards in place. Due to the access of the NSA and other federal law enforcement to personal data in the U.S., the Schrems II Court has again held U.S. data protection to be “inadequate.” Privacy Shield utilized an “ombudsperson” process to protect EU data privacy rights, but the Court questioned its independence and authority to make binding decisions on U.S. intelligence.
Is that All? No. Schrems II calls into question the viability of Standard Contractual Clauses (SCCs), far and away the most common EU personal data transfer mechanism in use. SCCs are EU-approved appendices that permit data transfer, but parties to a contract must adopt the clauses verbatim. In so doing, the parties agree to EU jurisdiction and the technical data protection requirements in the clauses.
Are Standard Contractual Clauses Dead? Not yet. A case-by-case analysis now applies to SCC transfers. The Schrems II Court holds that EU exporters of data (or EU data regulators) must suspend SCC data transfers when the law of the recipient country “allows its public authorities to interfere with the rights of the data subjects to which that data relates.” Given that the U.S. already falls into that category of countries, however, it appears that suspensions of SCC transfers to the U.S. may be imminent.
Does Franchisor Compliance with the California Consumer Privacy Act Help in the EU? Not really. Many franchise businesses are now complying with the data privacy requirements of the CCPA, but the EU Court’s decision in Schrems II was based upon concerns over the reach of U.S. intelligence into EU personal data. Even under the CCPA’s data privacy regimen, EU personal data remains subject to surveillance by the U.S. government.
What Should Franchisors Receiving EU Customer and Personal Data Do?
What Comes Next? The status quo for personal data transfers out of the EU will not likely remain for long. The U.S. tends to get the heat and headlines in the EU, but all nations engage in data intelligence. EU countries surveille their own citizens, and it continues to be an issue for debate. https://fra.europa.eu/sites/default/files/fra_uploads/fra-2017-surveillance-intelligence-services-vol-2-summary_en.pdf. Further, many countries are enacting data localization rules, requiring any personal data to be stored in-that country. China and Russia, among others, assert a right to engage in intelligence on data found within their borders.
At the end of the day, a political solution is necessary. The EU will need to consider surveillance and national security as important considerations to be balanced against privacy rights, and seek a pragmatic, agreeable solution to commercial data transfer. The United States may need to bolster their enforcement of data privacy rights of individuals. In the meantime, companies must take stock of what personal data they collect and for what purposes. If they must handle the personal data of EU residents, it is essential that they monitor this volatile legal landscape and implement processes that are appropriate for their unique uses of personal data.
For more information, contact Tedrick Housh, Michael Cohen, Gaylen Knack, Carl Zwisler, a member of our Global Privacy, Cybersecurity & Data Protection team or your Lathrop GPM attorney.
© 2020 LATHROP GPM, ALL RIGHTS RESERVEDCLICK HERE TO UNSUBSCRIBE | POWERED BY FIRMSEEK
The information contained in this document is provided to alert you to legal or tax developments and should not be considered legal or tax advice. It is not intended to and does not create an attorney-client relationship. Specific questions about how this information affects your particular situation should be addressed to one of the individuals listed or to your legal or tax advisor before taking any action based upon this information. No representations or warranties are made with respect to this information, including, without limitation, as to its completeness, timeliness, or accuracy, and Lathrop GPM shall have no obligation to update this information and shall not be liable for any decision made in connection with the information. The choice of a lawyer is an important decision and should not be based solely on advertisements.
If you do not wish to receive any further communication from Lathrop GPM LLP, please send an email to email@example.com with the subject UNSUBSCRIBE.