The specifics of the case are complicated and better suited to a legal blog, but the EU data protection regulation, aka GDPR, requires that personally identifiable data only be transferred outside the EU to countries that have an adequacy decision, which means that the country’s data protection laws provide the same level of protection as the GDPR. Prior to the CJEU decision, transfers made with companies that participated in Privacy Shield were deemed adequate.
With the invalidation of Privacy Shield, EU-US data transfers under Privacy Shield are no longer deemed adequate. Only twelve countries have adequate data protection laws, and most of them are, unfortunately, not huge hubs for personal data transfer. Those countries are Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay.
What is the EU-U.S.Privacy Shield?
The EU-U.S.Privacy Shield was built on seven principles designed to protect personal data. Organizations that voluntarily attested to the Privacy Shield requirements agreed to post notices about their personal data collection and privacy policies, provide opt-in options, adequately secure data from the EU, and be accountable for compliance verification and enforcement.
However, this wasn’t enough for the CJEU, which found that regardless of participation in Privacy Shield, the agreement didn’t provide enough protection to European citizens in regard to government surveillance.
What does the invalidation of the Privacy Shield mean for you?
Now that the EU-US Privacy Shield framework has been invalidated, data transfers to the US cannot legally be initiated without additional steps, and the European Data Protection Board (EDPB) has stated that there’s no grace period. We haven’t seen guidance from the EDPB on what the ruling means, but several Data Protection Authorities (DPA) have published guidance for their regions. So what do you do now?
First, don’t panic. Take a few deep breaths and watch a video of kittens or puppies. Now that you’re feeling a little calmer, here are four things you can do:
1. Dust off that data map — Remember when GDPR first came out and you needed a personal data map you went through to ensure that you were compliant? This will come in handy now. You’ll need that to determine whether your data is flowing to the US, or for that matter any country that doesn’t have an adequacy decision. If you didn’t create your data map, you’ll need to figure out which data is being transferred outside the EU. If you’re using VGS, you can map your data routes to determine which countries your data is flowing to.
2. Find your DPA’s guidance — DPAs from across Europe have published guidance for their regions. You should find and review this guidance. Until the EDPB releases unified guidance, your response will depend on which DPA you’re subject to.
3. Review your contracts — Do you have Standard Contractual Clauses in your contracts with controllers and processors who transfer personal data outside the EU? If you do, review those and ensure that processes are in place to meet the contractual obligations. If you don’t, consider adding the SCCs to your contracts, but this is a legal agreement, so make sure that you and your partners are actually doing what you agreed to do by adding the SCCs to your contract.
4. Conduct a risk assessment — Even with SCCs in place, you’ll need to make sure that the privacy rights of the individuals are adequately protected. This will mean that you’ll need to consider the laws that are applicable to your business partners and the sensitivity of the personal data you’re processing. CJEU’s ruling specifically called out U.S.surveillance laws applying to cloud service providers and the United States intelligence community monitoring of personal data transmitted to the US. You’ll need to ensure that sufficient controls for data protection from surveillance during transmission and that the U.S.government cannot compel your business partner to provide the data, either directly or through their business partners.
A couple of things to keep in mind:
The US-Swiss Privacy Shield is still in effect. The CJEU does not have jurisdiction over Switzerland, and the Schrems II decision did not invalidate the agreement between the US and Swiss governments. As of mid-August, the Swiss government hasn’t invalidated the agreement, but they could choose to do so.
The US government is still enforcing Privacy Shield, and participating businesses must remain Privacy Shield compliant. If your business partner is Privacy Shield certified, the US government will still hold them accountable to meet the requirements and will bring enforcement actions against businesses that violate the requirements. They also still have to follow the rules to renew their Privacy Shield certification.
This isn’t just a US problem. If you are transferring personal data to any country outside of the countries listed above including EU citizens, you need to ensure that adequate protections are in place to ensure the rights of EU citizens. You’ll need to be aware of the laws in the destination country and assess the risks related to those laws.
If parties involved in a data transfer cannot guarantee the same personal data protection standards set forth by the GDPR, additional safeguards should be considered or the transfer should be stopped. Otherwise, an EU data protection regulator may step in and stop the transfer.
Streamline your compliance measures to continue EU-U.S. data transfers
The CJEU’s ruling in Schrems II has made transfer of personal data outside of the EU difficult and in some cases impossible. VGS has tools to help you ensure you know where your data is going, and we’re committed to working with you to find a solution that works for you. Whether that means providing the tools to quickly map your data flows to deciding where best to store your data, VGS can work with you to find a solution that works for you and your customers.