Companies that transfer personal data from the EU to the U.S. must now put in place an alternative compliance mechanism as soon as possible to comply with the GDPR.
What is EU-US Privacy Shield?
Article 44 of the GDPR requires certain protection mechanisms to be put in place when transferring personal data from the EU to a third country. The EU-U.S. Privacy Shield is a compliance mechanism intended to allow U.S. entities to receive personal data from EU entities in a GDPR-compliant manner if the U.S. entity has signed up to comply with the requirements of the Privacy Shield.
What happened and what has changed?
On 16 July 2020, the European Court of Justice (ECJ) made a final judgement and struck down the EU-U.S. Privacy Shield. The ECJ found that it fails to protect individuals’ rights to privacy, data protection and access to remedy following a ruling in the “Schrems II” case.
The Schrems II case originated from a complaint made by Mr Max Schrems to the Irish Data Protection Commission (DPC) questioning the validity of the transfer and processing of data from Facebook Ireland to the Facebook USA based on use of the standard contractual clauses (SCC). The DPC brought an action against Facebook before the High Court in Ireland. In May 2018, the Court referred various questions on the validity of the standard contractual clauses and the EU-U.S. Privacy Shield to the ECJ for a decision.
The ECJ’s decision in this case confirms the validity of the standard contractual clauses but invalidates the EU-U.S. Privacy Shield. It means moving forward, it is no longer possible to rely on the Privacy Shield scheme as automatically meeting the “adequacy” of protection for data as required by the EU when exporting personal data from the EU to the U.S.
Despite confirming the validity of the standard contractual clauses, the ECJ has raised a few concerns regarding their use. These include the capability to implement the safeguards contained in the standard contractual clauses where national laws (including national security and/or law enforcement requirements) applicable to the data importer (i.e. the U.S. recipient of personal data) prevent the safeguards from being effective.
What actions you need to take
1. Identify affected personal data
If you are a company that transfers data from the EU to the U.S. you must first determine whether your transfers are affected by the Schrems II decision. You’re likely to be affected, and could be in violation of the GDPR, if you are:
- a U.S. company that receives data from the EU (such as a U.S. parent with a European subsidiary or European-based customers or suppliers); or
- a European company that:
- sends personal data to the U.S. (whether to a group company, customer or supplier); or
- uses cloud software with servers in the U.S. and are relying on the Privacy Shield.
2. Implement GDPR-compliant data processing and transfer agreements
If you determine you are affected by the ruling, you should as soon as possible implement International Personal Data Processing and Transfer Agreements which incorporate the standard contractual clauses or another appropriate compliance mechanism.
3. Review other relevant policies and take other actions as needed
You may also need to:
- review and update your external and internal privacy policies where they refer to transfers of personal data from the EU;
- provide updated data protection training to your employees; and
- take other steps as you are advised.
How can we help?
The contents of this article are intended for informational purposes only. The article should not be relied on as legal or other professional advice. Neither Vistra Group Holding S.A. nor any of its group companies, subsidiaries or affiliates accept responsibility for any loss occasioned by actions taken or refrained from as a result of reading or otherwise consuming this article. For details, read our Legal and Regulatory notice at: http://www.vistra.com/notices . Copyright © 2022 by Vistra Group Holdings SA. All Rights Reserved.
Vistra 2030: Preparing for a new era of globalisation
21 Mar 2023
Vistra’s 2030 report is the fund and corporate service industry’s leading research series, one that examines changing client demands and how the industry itself is adapting. Our current edition incorporates survey responses from over 600 professionals…
ECJ ruling on access to beneficial ownership information: Balancing transparency and privacy
23 Feb 2023
Global tax opportunities: Making tax work for your organisation in uncertain times
28 Feb 2023