Privacy Shield Ruling
On the 16th July 2020 the Court of Justice of the European Union ruled that Privacy Shield does not provide a safe mechanism for transfers of personal data outside of Europe to the US.
The ruling became effective immediately and therefore any organisation whose data transfers to the US relied on Privacy Shield automatically became illegal.
Read our Privacy Shield blog here is you need more information on Privacy Shield – https://www.gdprauditing.com/eu-us-privacy-shield/
What does the ruling say?
The ruling by the CJEU states that because the US Government under most circumstances can ‘snoop on’ or demand to see personal data, companies can not adequately protect that data or provide effective recourse to data subjects whose data is being looked at.
The actual words are:
“ The Court considered that the requirements of U.S. domestic law, and in particular certain programmes enabling access by U.S. public authorities to personal data transferred from the EU to the U.S. for national security purposes, result in limitations on the protection of personal data which are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, and that this legislation does not grant data subjects actionable rights before the courts against the U.S. authorities.”
So, whilst Privacy Shield along with binding Corporate Rules and Standard Contractual Clauses may have provided security within or between companies or groups of companies, the fact that the US Government can access that personal data if required invalidates those mechanisms.
What does this actually mean?
The ruling made Privacy Shield an illegal transfer mechanism immediately. Therefore, anyone who previously relied on Privacy Shield must cease the export of data to the US from the date of the ruling.
There is no grace period, no taper. To continue to operate where you previously relied on privacy shield, you will be breaking the law.
You must now find an alternative ‘legal’ mechanism if you wish to continue to transfer personal data to the US.
What about other transfer mechanisms?
The two other standard mechanisms in use are Standard Contractual Clauses (SCC’s) and Binding Corporate Rules (BCR’s).
BCR’s are typically used by large organisations to enable data transfers between companies or groups of companies and must have been approved by a Supervisory Authority.
SCC’s are usually drawn up between different companies or companies belonging to smaller organisations who could not afford the time or resources to become approved for BCR’s.
Whichever of these you might currently rely on or seek to use as an alternative, beware as in most cases these have also been invalidated by the CJEU ruling.
The advice is:
“Whether or not you can transfer personal data on the basis of SCCs/BCRs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. The supplementary measures along with SCCs/BCRs, following a case by case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee.”
SCC’s and or BCR’s will almost certainly have been constructed on the premise that the equivalent controls in Privacy Shield when translated into the other mechanisms provided for GDPR equivalence.
It is almost certain that your SCCs or BCRs will need to be assessed and supplementary controls added that fill the gaps.
Your BCRs will need to be recertified.
SCCs will need to be rewritten, agreed and signed off by the relevant parties.
Is there any other solution?
Other possible transfer mechanisms do exist but will most likely mean a change to the way you do business.
GDPR Auditing can help with this process, following an assessment of your processing operations we can advise on the best course of action.
Our Privacy Shield Holding Statement is ready to be published. It covers all the relevant changes and what they mean for you and your customers, it explains what every company should be doing to assess and find solutions to the problem and how you will be working with your 3rd parties to ensure their compliance.
The information provided in this post is for general information only and is not intended to provide legal advice.