EU-US Privacy Shield Invalidation: must-known essentials when processing personal data

EU-US Privacy Shield Privacy Shield & Swiss-US Privacy Shield updates as per November 2020

Today, transatlantic personal data transfers have become common practice. Under the GDPR though, these transfers are subject to numerous provisions, in particular to ensure that the data will benefit from adequate protection, even when being transferred abroad. In this context, the EU-US Privacy Shield Framework was designed to provide companies “with a mechanism to comply with data protection requirements when transferring personal data from the EU to the US”.

In a landmark decision that shined a light on data protection issues relating to these transfers, on July 16, 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield, leaving tons of companies with more questions than answers about how to address this issue. Indeed, following this decision, any and all data transfers once valid under the EU-US Privacy Shield ought to be revised in order to remain GDPR compliant.

Some well-recognized organizations took actions to identify alternative solutions, like Cytowski & Partners who suggest the following alternatives for companies impacted by the decision:

  • to relocate data processing operations inside the EU and cease EU-US data transfers;
  • to rely on Standard Contractual Clauses (“SCCs”), as it remains a valid compliance mechanism for the transfer of personal data outside of Europe;
  • to obtain individuals’ explicit consent to the transfer;
  • to implement Binding Corporate Rules (GDPR Art. 47); or
  • to rely, when appropriate, on specific derogations (GDPR Art. 49).

Updates for Standard Contractual Clauses (SCCs).

While the SCCs were not invalidated by the CJEU, the ruling introduced further requirements to be met in this regard. In addition, “a case-by-case assessment as to whether [the SCCs] have provided appropriate safeguards” is now mandatory for any affected companies. If proven to be insufficient, the SCCs shall and may be supplemented with additional measures to ensure an adequate level of data protection. In early November 2020, the European Data Protection Board (EDPB) adopted Recommendations on supplementary measures following Schrems II.

The invalidation of the EU-US Privacy Shield highlights the importance of relying on the right solutions, in particular to prevent companies from being disrupted by such decisions. For a company having to address such issues post-disruption, it can be very hard as it requires to have the resources and knowledge to do so. However, ready-to-use data management solutions that allow for privacy compliance and flexibility over time exist and could help in this matter.

Our on-premise software Pryv.io, for example, allows for distributed data storage to enable local regulations compliance, and also to create installations that span the globe and co-locate the data with the users’ legislation. Based on a powerful per-user and privacy-by-design approach, each user data can be stored in a different server, which can be relocated anywhere if needed. Pryv.io also provides a clear data sharing mechanism and consent management solution, thus enabling companies to easily update their customers’ consent at a granular level.

De-risk your compliance with data-audit at Pryv.io.

Updates for Swiss-US Privacy Shield as of September 2020.

Following “Schrems II” ruling, the Swiss Data Protection and Information Commissioner estimated that the Swiss-US Privacy Shield does not provide an adequate level of protection for Swiss-US data transfers and the mention “adequate level under certain conditions” was removed for the United States. Although the Swiss-US Privacy Shield was not invalidated at that time, Swiss companies are advised to rapidly start addressing this concern.

Yours,

Stephanie & Evelina

Sources: