What is the big deal about Privacy Shield?
Over 5000 US companies were certified under the Privacy Shield (PS) framework enabling them to process EU Personal data.
That is 5000+ organisations who can no longer count on Privacy Shield for EU Personal Data International Transfers.
It became illegal under EU law for any EU Controller to send persona data to a US organisation whose only legal transfer mechanism was Privacy Shield – that’s right ILLEGAL as of the 16th July 2020.
The graphic below is merely to illustrate the big names who are certified against Privacy Shield and does not necessarily indicate whether their transfers under any other mechanism are legal or not.
My business doesn’t use Privacy Shield, so what does this have to do with me?
Most EU businesses will not use Privacy Shield directly or even be aware that it is within their technical/compliance supply chain.
That being said each business should know which of their 3rd parties or software/service providers are moving their data out of the EU.
Just take a look at some of the big names who relied on Privacy Shield for some of their personal data transfers. These companies are on the Privacy Shield active certified list, it does not necessarily mean they rely on it to process your personal data, but they might!
Isn’t this an issue for the US companies to fix?
Yes absolutely, if the 5000+ companies wish to continue processing EU personal data then it is their issue to fix. But don’t hold your breath, there is no easy or quick solution.
We would like to think that some of the bigger names would be working on solutions but it is the way of the world and certainly in these challenging Covid 19 times, that some just won’t bother.
Of the ones that don’t bother some might let you know and cease processing EU data, some will just continue as they are, hoping the problem will just go away.
If I use a company on the Privacy Shield Active List, and they don’t have a solution, can I continue to use them?
If you use one of these 5000+ companies and they process your EU / UK personal data using the Privacy Shield Framework then NO you can no longer legally continue to use them.
The EU ruling on Privacy Shield came into immediate effect, meaning that as of the 16th July 2020 alternative legal mechanisms for processing data should be being used.
Your business as a data controller has full responsibility for the personal data you process, just as you should not send your personal data to any 3rd party without a suitable GDPR proof contract, you now should not be sending personal data to a US organisation who has not legal grounds for processing it.
WARNING: By using a US business that relies on Privacy Shield to process your EU personal data you are breaking the law.
*** The Information Commissioners Office says ……. paraphrasing***
“…… you should take stock of the international transfers you make and react promptly as guidance and advice becomes available.
… supervisory authorities have an important role to play in the oversight of international transfers.
…. We (‘the ICO’) will continue to apply a risk-based and proportionate approach in accordance with our Regulatory Action Policy.”
Can we rely on Binding Corporate Rules and or Standard Contractual Clauses?
Initially all the larger organisations who managed to get approved Binding Corporate Rules and the typically smaller ones who set up Standard Contractual Clauses thought that they might have avoided the Privacy Shield trap.
However, on the 24th July the European Data Protection Board issued it’s FAQ on the CJEU judgment.
“2) Does the Court’s judgment have implications on transfer tools other than the Privacy Shield?
In general, for third countries, the threshold set by the Court also applies to all appropriate safeguards under Article 46 GDPR used to transfer data from the EEA to any third country. U.S. law referred to by the Court (i.e., Section 702 FISA and EO 12333) applies to any transfer to the U.S. via electronic means that falls under the scope of this legislation, regardless of the transfer tool used for the transfer2 .”
To put this into plain English…. BCRs, SCC’s and all other mechanisms are potentially also unlawful and should be subject to a full assessment and potentially the addition of supplementary controls.
If you don’t use any US business on the Privacy Shield List then check the Binding Corporate Rules list here:
I need help, where can I go?
GDPR Auditing have a GDPR international Transfers Service which had been specifically designed to help organisation who are worried about the Privacy Shield ruling and the knock on effect to Binding Corporate Rules and Standard Contractual Clauses.
We can provide a thorough assessment of your current exposure and help you to identify and implement new systems and processes to keep you legal.
You can read more about or service here: EU – US Personal Data Transfers
Our Privacy Shield Holding Statement is ready to be published. It covers all the relevant changes and what they mean for you and your customers, it explains what every company should be doing to assess and find solutions to the problem and how you will be working with your 3rd parties to ensure their compliance.
The information provided in this post is for general information only and is not intended to provide legal advice.