Summary
Context: The Court of Justice of the European Union (CJEU) struck down the EU-US Privacy Shield (Privacy Shield) as a valid mechanism to comply with EU data protection requirements when transferring personal data from the EU to the US. The CJEU continues to view standard contractual clauses (SCCs) as a valid mechanism in the abstract, though this may be challenged on a case-by-case basis if the circumstances surrounding the transfer impinge on the adequate level of protection afforded by the SCCs.
Rapid7 action: In light of the CJEU’s ruling, Rapid7 updated our Data Processing Addendum to, among other things, incorporate SCCs where required for the transfer of personal data outside of the EU or the UK. We are also continuing to monitor for further guidance from the EU supervisory authorities, including on any supplementary measures that we may undertake as a data importer.
Ongoing commitments: Rapid7 upholds high standards of privacy and security for customer data. As such, we reiterate our commitment to provide for increased customer control over where their cloud data is stored and restrict access to such data, and to never sell customer data. In addition, we aim to be transparent with our customers about government requests that we receive for their data.
Background on changes to legal mechanisms for EU-US data transfer
On July 16, 2020, the CJEU invalidated Privacy Shield in the Schrems II case (also known as Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems). Privacy Shield was a voluntary program developed to enable companies to self-certify adherence to certain privacy protections for the transfer of personal data from the EU ..
Support the originator by clicking the read the rest link below.
