Companies that transfer personal data from the EU to the U.S. must now put in place an alternative compliance mechanism as soon as possible to comply with the GDPR.
What is EU-US Privacy Shield?
Article 44 of the GDPR requires certain protection mechanisms to be put in place when transferring personal data from the EU to a third country. The EU-U.S. Privacy Shield is a compliance mechanism intended to allow U.S. entities to receive personal data from EU entities in a GDPR-compliant manner if the U.S. entity has signed up to comply with the requirements of the Privacy Shield.
What happened and what has changed?
On 16 July 2020, the European Court of Justice (ECJ) made a final judgement and struck down the EU-U.S. Privacy Shield. The ECJ found that it fails to protect individuals’ rights to privacy, data protection and access to remedy following a ruling in the “Schrems II” case.
The Schrems II case originated from a complaint made by Mr Max Schrems to the Irish Data Protection Commission (DPC) questioning the validity of the transfer and processing of data from Facebook Ireland to the Facebook USA based on use of the standard contractual clauses (SCC). The DPC brought an action against Facebook before the High Court in Ireland. In May 2018, the Court referred various questions on the validity of the standard contractual clauses and the EU-U.S. Privacy Shield to the ECJ for a decision.
The ECJ’s decision in this case confirms the validity of the standard contractual clauses but invalidates the EU-U.S. Privacy Shield. It means moving forward, it is no longer possible to rely on the Privacy Shield scheme as automatically meeting the “adequacy” of protection for data as required by the EU when exporting personal data from the EU to the U.S.
Despite confirming the validity of the standard contractual clauses, the ECJ has raised a few concerns regarding their use. These include the capability to implement the safeguards contained in the standard contractual clauses where national laws (including national security and/or law enforcement requirements) applicable to the data importer (i.e. the U.S. recipient of personal data) prevent the safeguards from being effective.
What actions you need to take
1. Identify affected personal data
If you are a company that transfers data from the EU to the U.S. you must first determine whether your transfers are affected by the Schrems II decision. You’re likely to be affected, and could be in violation of the GDPR, if you are:
- a U.S. company that receives data from the EU (such as a U.S. parent with a European subsidiary or European-based customers or suppliers); or
- a European company that:
- sends personal data to the U.S. (whether to a group company, customer or supplier); or
- uses cloud software with servers in the U.S. and are relying on the Privacy Shield.
2. Implement GDPR-compliant data processing and transfer agreements
If you determine you are affected by the ruling, you should as soon as possible implement International Personal Data Processing and Transfer Agreements which incorporate the standard contractual clauses or another appropriate compliance mechanism.
3. Review other relevant policies and take other actions as needed
You may also need to:
- review and update your external and internal privacy policies where they refer to transfers of personal data from the EU;
- provide updated data protection training to your employees; and
- take other steps as you are advised.
How can we help?
Philanthropy and its role in major global issues
28 Jul 2021
Heba Al Emara, Managing Director, Middle East, examines how families are increasingly getting involved in projects that are helping provide solutions for global challenges Extensive media coverage, the proliferation of…
Using an employer of record to transfer employees in a cross-border M&A carve-out deal
29 Jul 2021
The proposed minimum corporate tax rate: What businesses need to know
23 Jul 2021
Five ways businesses can build a powerful wellness programme
15 Jul 2021
Expanding into the Taiwan market – what you need to know
29 Jul 2021
The difference six months makes: global regulatory convergence to continue
15 Jul 2021