Intro
On July 16, 2020, the European Court of Justice (CJEU) issued its judgment in case C-311/18, known as Schrems II. The CJEU ruled that the EU-US Privacy Shield should be invalidated. In turn, Standard Contractual Clauses (SCCs), a legal instrument that allows the transfer of data from the EU to third countries, is recognized as valid.
EU-US Privacy Shield
The EU-US Privacy Shield was an “adequacy” mechanism that allowed organizations that adhered to regulatory principles to transfer personal data from the EU to the US.
What's next?
At the time of this writing, the CJEU verdict leaves data transfers from the EU to the US in limbo. Obviously, the Privacy Shield can no longer be used, but many questions remain as to whether SCCs remain valid for data transfers between the EU and the US or other countries with effective national surveillance systems.
FAQs:
WHAT GDPR RESPONSIBILITIES AFFECTED BY THIS DECISION?
The decision concerns the responsibility of controllers and data processors for the transfer of data from EU citizens to countries outside the EU. Any such transfer must provide a level of protection, and therefore requires the use of a special “transfer mechanism”, including:
- Adequacy : This solution allows unrestricted data transfer to a country or region that provides an adequate level of data protection in the opinion of the European Commission. Such countries include_ Andorra, Argentina, Canada (PIPEDA only), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay. All decisions on adequacy are currently being reviewed after the entry into force of the GDPR.
- Appropriate Safeguards: GDPR , . Schrems-II, , « » GDPR. Standard Contractual Clauses (SCC), . , , .
- Binding Corporate Rules (BCR): GDPR . BCRs EDPB. Schrems-II BCR « » GDPR .
- : GDPR 49, . , , . .
GDPR?
Up to 4% of annual income or € 20 million, whichever is higher. In addition, the DPA (Data Protection Authority) has the right to suspend the transfer of data from their home country to the United States.
What do I need to do with my current EU-US Privacy Shield certification?
The US Department of Commerce (DOC) has stated that the Privacy Shield will continue to operate and expects members to continue to uphold their Privacy obligations. US DOC, European Commission, European Data Protection Board (EDPB) have indicated that they intend to create a successor to the Privacy Shield. Companies remaining in the Privacy Shield can simplify their transition to a successor once established.
Will previous data transfers within the EU-US privacy shield be affected?
All prior data transfers remain subject to the EU-US Privacy Shield.
Will there be a grace period?
The EDPB has issued guidance stating that there will be no grace period. Given that the EU-US Privacy Shield has been invalidated, companies that have so far used the EU-US Privacy Shield to transfer data will need to find an alternative legal basis for transferring data without undue delay.
I want to exit the EU-US Privacy Shield. What do I need to do?
If you decide to leave EU-US PRIVACY SHIELD, you must follow the procedure established in the United States.
Should I update the company's privacy policy?
We recommend that you do not make any changes to the Privacy Policy as a member of the Privacy Shield at this time. There is currently no basis or regulatory guidance for any change unless you have stated (as a data exporter under the GDPR) that you are relying on the Privacy Shield as your legal basis for transferring data outside the EEA.
My organization's privacy policy clearly states that we use the EU-US privacy shield to legitimize data transfers from the EU to the US, should we remove this notice?
You will need to update the Policy, and you need to indicate which alternative you are using. You may also consider including a temporary notice that the organization is reviewing a decision based on a Schrems-II decision.
standard contractual clauses?
As long as the data is not collected and / or accessed by US authorities for national security purposes, SCCs may be used on a case-by-case basis depending on whether the US data importer is able to meet its specific data processing obligations. This means that the burden of proof for both the data exporter and the data importer in the third country has increased to ensure that they can meet all SCC requirements. The data importer will also have to confirm that he will fully comply with all the basic principles of the GDPR. This also means that the importer and exporter of the data will have to assess the legislation of the third country to find out, for example, whether they are subject to surveillance laws that could lead to interference with the rights of EU citizens. If yes,in such a case, the transmission cannot be based on the SCC. This applies similarly to BCR. In its document, the EDPB indicated that it will provide further guidance on the legal, technical and organizational measures that can be taken to complement the SCC to ensure legal uninterrupted data transfer.
How about onward transfers of data from US companies that process EU personal data to other US companies (eg cloud providers)?
Subsequent transfers of personal data originating from any of the EEA countries must be processed in accordance with the data protection standards set by the GDPR. The Data Exporter is responsible for the complete data processing chain for which he is the Data Controller. If the data importer cannot guarantee that the standards included in the GDPR and the applicable transfer mechanisms can be complied with, additional safeguards must be agreed. If this is not possible, data transmission is not possible.
If my US company is moving a server to the EU, do I still need a data transfer mechanism?
It depends on how the data is processed within the company. As long as the data is stored on servers in the EU and is only accessed from the EU, no data transfer mechanisms are required. However, as soon as the data is accessed from outside the EU, the data processing takes place (as defined in Article 4 (2) GDPR), which will also constitute a transfer of data, which requires the use of transfer mechanisms. In addition, if a company is subject to US surveillance laws, including but not limited to FISA section 702 and EO 12333, use of an EU server is not guaranteed protection.
Will encryption be a sufficient mitigation measure in the event of potential US government intervention?
Encryption is a good security mechanism, which means that data cannot be intercepted. However, there are other mechanisms that can enable the US government to gain access to personal information. Ultimately, the dataset can be decrypted when accessed by other parties.
Are other transfer methods still valid?
All data transfer mechanisms included in the GDPR remain in effect. The CJEU revoked one of the decisions (EU-US Privacy Shield) and established stricter evaluation criteria for the use of other transmission mechanisms.
Has the SWISS-US Privacy Shield been revoked?
No.
What impact will these processes have on Brexit and the UK?
It's too early to tell. Until the end of the transition period (currently until December 31, 2020), the UK will continue to apply the GDPR unchanged. What comes next is a subject of negotiations between the UK and the European Commission.
How do regulators comment on this decision?
EUROPEAN DATA PROTECTION BOARD (EDPB),
“No information on enforcement or advice on transfers; further analysis to follow ".US Department of Commerce,
"While the Department of Commerce is deeply disappointed that the court appears to have invalidated the European Commission's adequacy decision underlying the EU-US Privacy Shield, we are still studying the decision to fully understand its practical impacts."Polish Inspector General for the Protection of Personal Data - GIODO,
“Controllers need to carry out an individual assessment of the level of data protection ensured as part of cross-border data transfers, which must take into account not only the contractual provisions agreed between exporters and importers of data, but also legal provisions in a third country, in particular regarding possible access by authorities public authority of that country to the data transmitted. Further guidance will follow via the EDPB ".Estonian Data Protection Inspectorate,
«When transferring personal data to any third country with an insufficient level of data protection, it must be borne in mind that it is also important to be convinced of the third country’s adequate level of protection of personal data. Therefore, EU companies must always assess the European Commission’s data protection clauses themselves. The assessment must determine whether the protection of Europeans’ personal data can be protected in the future or in the future by ensuring data protection clauses. If the protection of personal data cannot be guaranteed, the transfer of data must be suspended. If it is desired to continue the data transfer, another appropriate safeguard must be found».