At the end of September, the International Federation of Reproduction Rights Organizations (IFRRO) hosted a webinar on the impact of the July decision by the Court of Justice of the European Union (CJEU), the EU’s highest court, invalidating the EU-U.S. Privacy Shield. The Privacy Shield had been the four-year-old mechanism under the protection of which EU companies have been sending personal information about EU citizens to the United States for processing. The Privacy Shield was designed by the EU and U.S. governments to offer EU citizens the comfort of knowing that participating U.S. companies seek to provide a similar level of protection to their personal information to that afforded by the EU’s own General Data Protection Regulation (GDPR).
The invalidation of the Privacy Shield is of importance to IFRRO-member Reproduction Rights Organizations (RROs) because of their mutual responsibilities under bilateral agreements.
IFRRO’s webinar was led by IP/IT partners at the European law firm Osborne Clark, which acts as one of IFRRO’s regular outside counsel. After reviewing the reasoning in the CJEU decision for invalidating the Privacy Shield – largely focused on the insufficiency of redress available to EU citizens under U.S. national security laws governing the interception of electronic communications – the Osborne Clark lawyers discussed the alternatives available to the EU RROs for complying with the GDPR while continuing their delivery of royalties and associated information to non-EU RROs. They also noted that the same concerns apply to EU RROs’ information transfers to almost all other non-EU RROs with which they have bilateral agreements. (Most RROs have such agreements with dozens of counterparts around the world.)
In the context of the relationships being discussed, the primary alternative available to the EU RROs (and most other EU businesses) is the use of Standard Contractual Clauses (SCCs) published by the EU (and due to be updated within a few weeks) and then signed on a case-by-case basis by the EU and non-EU partners. And those SCCs need to be supplemented (not replaced) by specific terms unique to the relationship between the EU and U.S. parties involved. Those supplemental terms focus on the nature of the information transferred and the nature of the risk attached to the particular transfer. In the case of RROs, the lawyers leading the webinar focused on (i) the low level of risk associated with transferring information relating to the names of authors and publishers whose names are in fact printed right on the works earning royalties (they are printed there largely because those authors and publishers want to ensure that they get paid for the use of their works), and (ii) the reality that U.S. national security laws are not focused on matters such as these. Further, the lawyers recommended that EU parties create careful documentation to explain the decision to transfer the information (for example, by obtaining answers to data security questionnaires that explain a U.S. recipient’s practices).
CCC is a founding and active IFRRO member. CCC holds two data security certifications – (i) a formal certification under the international information security management standard known as ISO 27001 and (ii) a clean report (tantamount to a certification) under the internationally-recognized standard for internal organizational controls known as SOC 2 Type 2. It was pointed out by the experts leading this session that these certifications are an important element of any conclusion by an EU RRO that the level of risk associated with these data transfers to CCC is low; in effect, these certifications are the equivalent of full-scale answers to the types of questionnaires that an EU company would issue. During the webinar, CCC also made clear to all attendees its willingness to help those RROs document that low-risk assessment by providing proof of its certifications.
The Court of Justice’s decision to invalidate the EU-U.S. Privacy Shield has created a lot of burden on EU and U.S. companies across all industries. In the RRO-specific environment, this IFRRO webinar made clear that the nature of the information being transferred, plus the existence of CCC’s international-recognized data security certifications, make the necessary risk assessment more straightforward.