EU – US Personal Data Transfers
Privacy Shield Invalidated
The Court of Justice of the European Union (CJEU) ruling on the 16th July invalidated the EU-US Privacy Shield.
The ruling also called into doubt Binding Corporate Rules (BCR) and Standard Contractual Clauses (SCC) and derogations under Article 49 of the GDPR of limited use and still potentially risky.
For more details see our blog: EU-US Privacy Shield is Dead
If your business transfers data from the EU or UK to the US you need to re-assess your legal basis for doing so and look for alternative legal solutions.
Chances are there will be an impact on your businesses even if you don’t directly use Privacy Shield, Binding Corporate Rules or Standard Contractual Clauses, why?
Read our blog to find out more: 6 Questions every EU Company Should ask about Privacy Shield
Depending on your circumstances you need to do the following.
- Find an alternative to Privacy Shield since this is now illegal
- Assess in detail your Standard Contractual Clauses, to determine whether supplementary controls will be possible
- Assess your Binding Corporate Rules to determine whether supplementary controls are possible. Then have them revalidated
- Assess whether your transfers using derogations are still legal
- Ensure that any 3rd parties you use are not affected and if they are find out what they are doing about it
GDPR International Transfer Service
We are specialists in creating solutions for International Personal Data Transfers. We have provided solutions for EU to US via Privacy Shield, SCC and BCR. As well as EU to India, EU to Canada, EU to Kenya to name a few.
We have designed our International Transfer Service to determine what your business exposure is, and to find solutions.
The first step for any business should be to publish a holding page so that your customers understand you are aware of the problem and explaining what you are doing about it. We have created a template holding page which we are giving away free for any subscribers to our Newsletter, see bottom of page.
The Service consists of the following elements
- Analyse all areas of the business impacted by the CJEU ruling
- Perform SCC and or BCR assessments where required
- Assess derogations if in use
- Catalogue all 3rd parties affected and what their mitigations are
- Present findings along with risk assessment
- Agree priority for remediation
- Document options for business areas impacted to become compliant
- Implement chosen options (which may include ceasing to transfer personal data to the US)
What do I get?
At the end of the full service, you will have a roadmap to follow or an implemented solution enabling you to continue your business legally.
We can deliver some elements individually but we usually recommend the full server 1-8. Your organisation may not require all elements of the service, for example most organisations will not have BCR’s.
CAUTION: You should not underestimate the impact of the CJEU ruling. An easy or cheap solution may not be available to all businesses. Options may not always enable legal personal data transfers to the US. Some may include alternatives that avoid the US altogether.
If you think this does not apply to your business consider the following list of companies who are on record as using Privacy Shield and or Binding Corporate Rules, they may also make use of Standard Contractual Clauses.
Facebook, Amazon, Microsoft, Google, SalesForce, DropBox, MailChimp
Using services from these companies could impact your business.
Our Privacy Shield Holding Statement is ready to be published. It covers all the relevant changes and what they mean for you and your customers, it explains what every company should be doing to assess and find solutions to the problem and how you will be working with your 3rd parties to ensure their compliance.
The information provided in this post is for general information only and is not intended to provide legal advice.