The European Court of Justice (ECJ) made a decision on July 16, 2020 to strike down Privacy Shield, a trans-Atlantic agreement that had allowed companies to move data between the European Union and the United States.
The ECJ invalidated the Privacy Shield agreement, just as it did with the Safe Harbor program before it, on the basis of the national security data collection activities of the US government (which does not comply with European privacy rights). This decision will leave more than 5000+ US companies that relied on this system with many immediate changes to make to their policies, programs and contracts.
Zeta is not one of those companies.
Since early 2019, Zeta has taken the approach of applying the EU Standard Contractual Clauses (also known as “Model Clauses” or “SCCs”) to export EU data to non-EU countries in all relevant contracts. This clause remains valid under the GDPR according to the ECJ decision, which stated that it is the responsibility of companies to assess their exposure to governmental access to EU data.
You might be asking some questions, such as…
So, does the ECJ decision mean that EU data can no longer be accessed lawfully in the United States? Not at all. It means that companies that were until today relying on the Privacy Shield program as their lawful means of processing EU data in the United States no longer have that option and will need to switch their contractual clauses to SCCs. Zeta made this change in early 2019 in anticipation of this outcome.
If I am currently transferring EU data to Zeta do I need to stop, or suspend the transfers? No. In 2019 Zeta incorporated SCCs into its terms and conditions, as well as instituting an internal data transfer agreement among member companies of the Zeta Group that is based on SCCs. Zeta is not affected by the invalidation of the Privacy Shield and can continue to process EU data in the United States uninterrupted.
We will continue to monitor developments relating to this landmark privacy case as they unfold. Zeta’s privacy office is always available to discuss data, privacy and compliance with our clients if you have questions or concerns.