Companies that transfer personal data from the EU to the U.S. must now put in place an alternative compliance mechanism as soon as possible to comply with the GDPR.
What is EU-US Privacy Shield?
Article 44 of the GDPR requires certain protection mechanisms to be put in place when transferring personal data from the EU to a third country. The EU-U.S. Privacy Shield is a compliance mechanism intended to allow U.S. entities to receive personal data from EU entities in a GDPR-compliant manner if the U.S. entity has signed up to comply with the requirements of the Privacy Shield.
What happened and what has changed?
On 16 July 2020, the European Court of Justice (ECJ) made a final judgement and struck down the EU-U.S. Privacy Shield. The ECJ found that it fails to protect individuals’ rights to privacy, data protection and access to remedy following a ruling in the “Schrems II” case.
The Schrems II case originated from a complaint made by Mr Max Schrems to the Irish Data Protection Commission (DPC) questioning the validity of the transfer and processing of data from Facebook Ireland to the Facebook USA based on use of the standard contractual clauses (SCC). The DPC brought an action against Facebook before the High Court in Ireland. In May 2018, the Court referred various questions on the validity of the standard contractual clauses and the EU-U.S. Privacy Shield to the ECJ for a decision.
The ECJ’s decision in this case confirms the validity of the standard contractual clauses but invalidates the EU-U.S. Privacy Shield. It means moving forward, it is no longer possible to rely on the Privacy Shield scheme as automatically meeting the “adequacy” of protection for data as required by the EU when exporting personal data from the EU to the U.S.
Despite confirming the validity of the standard contractual clauses, the ECJ has raised a few concerns regarding their use. These include the capability to implement the safeguards contained in the standard contractual clauses where national laws (including national security and/or law enforcement requirements) applicable to the data importer (i.e. the U.S. recipient of personal data) prevent the safeguards from being effective.
What actions you need to take
1. Identify affected personal data
If you are a company that transfers data from the EU to the U.S. you must first determine whether your transfers are affected by the Schrems II decision. You’re likely to be affected, and could be in violation of the GDPR, if you are:
- a U.S. company that receives data from the EU (such as a U.S. parent with a European subsidiary or European-based customers or suppliers); or
- a European company that:
- sends personal data to the U.S. (whether to a group company, customer or supplier); or
- uses cloud software with servers in the U.S. and are relying on the Privacy Shield.
2. Implement GDPR-compliant data processing and transfer agreements
If you determine you are affected by the ruling, you should as soon as possible implement International Personal Data Processing and Transfer Agreements which incorporate the standard contractual clauses or another appropriate compliance mechanism.
3. Review other relevant policies and take other actions as needed
You may also need to:
- review and update your external and internal privacy policies where they refer to transfers of personal data from the EU;
- provide updated data protection training to your employees; and
- take other steps as you are advised.
How can we help?
How green bonds can help fight the climate crisis
28 Oct 2021
In 2015, the Paris Agreement set ambitious targets to mitigate climate change. Since then, the EU has rolled out its Green Deal, and the International Energy Agency (IEA) revealed its pathway to net-zero carbon dioxide emissions by 2050. In November 2021, the UN’s COP26 in…
The EU’s cross-border distribution of funds regulation: New AIF marketing rules provide clarity
26 Oct 2021
Why private equity firms need to develop and implement ESG strategies now
20 Oct 2021
Webinar: BVI Investment Funds - A Viable Alternative
28 Oct 2021
China’s new Personal Information Protection Law: How to prepare
12 Oct 2021
Hiring and paying remote workers abroad: Understanding your risks and options
06 Oct 2021