Many European organisations share data with organisations outside the EU, or rather the EEA, with data often being transferred to the US. Most of these organisations, 60% of them, relied on the Privacy Shield as a data transfer mechanism to the US. However, on July 16, 2020, the Court of Justice of the European Union invalidated the Privacy Shield, making the transfer of personal data to more than 5,500 US organisations (including the most used software tools) be in violation of the EU privacy law, the GDPR. The reason for invalidation: the law and practice of access to personal data by US intelligence services means that the protection of personal data by EU standards does not have an adequate level of protection.
Wider consequences
The Court also added conditions to SCCs (approved model contracts to ensure safe processing outside the EU). Data exporters should take into account the law and practice of the country to which the data will be transferred, in particular regarding government access to this data. 88% of organisations sharing data outside the EU rely on these model contracts. SCCs are also the most obvious alternative to transfers to the United States. However, the further use of the model contracts seems practically infeasible due to the now added conditions. The ruling therefore not only has major consequences for data transfers from the EU to the US, but also complicates international data traffic in general. It is therefore crucial to gain an overview of the state of affairs in your organisation and to ensure that you can continue to comply with the GDPR.
What now?
When the predecessor of the Privacy Shield (Safe Harbor) was declared invalid, the privacy regulators instituted a tolerance period. Organisations were then given time to adapt to the new situation. The EDPB, the European umbrella organization for privacy supervisors, has stated that there will be no tolerance period in this case, and the Dutch Data Protection Authority does not mention a tolerance period either in its response to the Schrems ruling. As such, there is a need to act quickly.
Take action
The following step-by-step plan can help to get a grip on the situation.