The CNIL’s order comes during a time of extreme uncertainty with regard to the fate of EU-US data transfers. EU and US officials had been negotiating “Safe Harbor 2.0” since October, immediately after Safe Harbor was ruled invalid. The parties agreed to a new transatlantic data transfer pact on February 2nd, called the EU-US Privacy Shield, however, the language and legal implications of the agreement have yet to be finalized. Critics of the Privacy Shield point out that the agreement is merely an “agreement to agree” and not an actual framework on which to build a working policy, essentially giving the two sides more time to negotiate an actual policy. Critics also note that the EU’s focus on the US government’s data collection and spying practices is particularly sanctimonious in light of the fact that EU member state governments spy on their own citizens.
With the data transfer situation still in flux, no one is 100% certain how this situation will pan out over the course of the next few months. If you or your company have questions or concerns about preparing for or responding to new privacy regulations, or you are interested in creating and/or implementing a cybersecurity plan, contact the author or a Polsinelli Privacy and Data Security team member.