Joseph J. Lazzarotti and Mary T. Costigan of JacksonLewis write:
Businesses are now prohibited from transferring employee personal data from the European Economic Area (EEA) to the U.S. under the EU-U.S. Privacy Shield program. The Court of Justice of the European Union (CJEU) declared the EU-U.S. Privacy Shield invalid in Data Protection Commissioner v. Facebook Ireland and Schrems (C-311/18) (Schrems II), effective immediately. Businesses that relied on the EU-U.S. Privacy Shield as an adequate transfer mechanism can no longer perform routine activities such as sending employee data from the EEA to U.S. headquarters for HR administration, accessing a global HR database from the U.S., remotely accessing EEA user accounts from the U.S. for IT services, providing EEA data to third party vendors for processing in the U.S., or relying on certain cloud-based services.
Read more on Workplace Privacy, Data Management & Security Report.
Related, from Covington & Burling:
Tune in to the first episode of Covington’s Inside Privacy Audiocast, where Dan Cooper moderates a discussion with Kristof Van Quathem, who was part of Covington’s case team, on the implications of the judgment. Our speakers offer valuable insights on how companies should pave the way forward in a post-Schrems II environment.