Transfer of personal data to the US deemed illegal - key steps that your organisation can take after Schrems II

Aug 6, 2020 12:00:00 AM | Privacy Shield Transfer of personal data to the US deemed illegal - key steps that your organisation can take after Schrems II

Many European organisations share data with organisations outside the EU, or rather the EEA, with data often being transferred to the US. Most of these organisations, 60% of them, relied on the Privacy Shield as a data transfer mechanism to the US. However, on July 16, 2020, the Court of Justice of the European Union invalidated the Privacy Shield, making the transfer of personal data to more than 5,500 US organisations (including the most used software tools) be in violation of the EU privacy law, the GDPR. The reason for invalidation: the law and practice of access to personal data by US intelligence services means that the protection of personal data by EU standards does not have an adequate level of protection.

Wider consequences

The Court also added conditions to SCCs (approved model contracts to ensure safe processing outside the EU). Data exporters should take into account the law and practice of the country to which the data will be transferred, in particular regarding government access to this data. 88% of organisations sharing data outside the EU rely on these model contracts. SCCs are also the most obvious alternative to transfers to the United States. However, the further use of the model contracts seems practically infeasible due to the now added conditions. The ruling therefore not only has major consequences for data transfers from the EU to the US, but also complicates international data traffic in general. It is therefore crucial to gain an overview of the state of affairs in your organisation and to ensure that you can continue to comply with the GDPR.

What now?

When the predecessor of the Privacy Shield (Safe Harbor) was declared invalid, the privacy regulators instituted a tolerance period. Organisations were then given time to adapt to the new situation. The EDPB, the European umbrella organization for privacy supervisors, has stated that there will be no tolerance period in this case, and the Dutch Data Protection Authority does not mention a tolerance period either in its response to the Schrems ruling. As such, there is a need to act quickly.

Take action

The following step-by-step plan can help to get a grip on the situation.

  1. Pay attention to the guidelines and statements of the supervisory authorities. For example, the website of the Dutch Data Protection Authority, the EDPB and the European Commission.
  2. Find out which organisations receive personal data from your organisation. This should be in your (mandatory) processing register, for example, in PrivacyPerfect. Please note that parties used can also pass on the data to other parties. You should have agreements about this in your data processing agreement.
  3. Find out if data is being transferred to countries outside the EU and what transfer mechanism is used for this. In particular, consider:
    a, organisations participating in Privacy Shield;
    b, organisations using SCCs;
    c, US organizations in general.
  4. In the case of SCCs: find out whether the receiving party can meet the (additional) conditions mentioned in the Schrems ruling. It is very likely that these conditions will not be met in the case of possible government access to data, as is the case with US organisations.
  5. Limit the transfer of personal data to countries outside the EU, choose storage in the EU and / or take other appropriate safeguards to protect the data when transferring. Many (non-EU) service providers nowadays allow data to be stored in the EU. Please be aware of whether the data is processed outside the EU after all, for example because a helpdesk in a third country monitors the system.
  6. Change the service provider in case of uncertainty. PrivacyPerfect is a Dutch organisation that only uses reliable parties for its service, and stores user data in the Netherlands.
  7. Adjust your privacy statement to the new situation and inform those involved where necessary.