Last month, the ECJ (European Court of Justice) ruled that the EU–US Privacy Shield is no longer valid, because it failed to protect people’s rights to privacy and data protection.
The framework, which was adopted in 2015 to replace Safe Harbor, is how organisations on both sides of the Atlantic were able to transfer personal data for commercial reasons.
However, following criticism from the Austrian privacy activist Max Schrems, EU lawmakers determined that the US government’s mass surveillance practices contradict the protections that the Privacy Shield was supposed to provide.
So, if you had been relying on the Privacy Shield to work with US organisations, what do you do now?
Evaluate your data processing requirements
The Schrems II judgement doesn’t necessarily mean you will have to reduce you data transfer practices, but the process will now be more complicated. That means you should think about when and why transfers are necessary.
Any data transfers for which you’d previously used the Privacy Shield must now be done using SCCs (standard contractual clauses).
This is the mechanism used for data transfers between the EU and the rest of the world, so you may already be familiar with the process.
They are legal contracts that outline the terms and conditions for data transfers, and are designed for organisations that participate in two-way data sharing and in straightforward internal personal data transfers.
SCCs only apply to the data processing activities set out in the agreement, so any time the processing activities change, you will need to draft a new contract.
Max Schrems’ complaint also challenged the validity of SCCs, and although the ECJ chose not to abolish them, it did restrict their applicability.
For an SCC to be lawful, organisations and regulators must conduct a case-by-case analysis of them to determine whether protections concerning government access to personal data meet EU standards.
This again causes problems for EU-based organisations that intend to transfer personal data to and from the US.
Organisations in the US that use SCCs to receive personal data from the EU must inform the data exporter of any inability to ensure equivalent levels of protection. In those cases, the exporter will be required to suspend or terminate the data transfer under the SCCs.
These issues mean that, although SCCs can work as a stopgap, organisations shouldn’t view them as a long-term solution.
But what’s the alternative? The Schrems II ruling has put organisations in an uncertain position, so it makes sense that they would want to look for expert advice.
With our EU–US GDPR Data Transfer Assessment and Action Plan, you’ll receive guidance that’s tailored to your organisation.
Our team of experts will assess your data transfer requirements and provide step-by-step advice on how to complete the process as efficiently as possible while also complying with your data protection requirements.