A recent European judgement means that data transfers outside of Europe (EEA) that currently rely on Privacy Shield are now invalid. The new ruling, which may also apply to data transfers to/from the UK at the end of the year, clarifies any transfer of data as ‘data processing’ and therefore covered by GDPR rules.
ICS Vice President and data protection expert Declan Brady offers his observations on the new ruling and what you need to do below.
Privacy Shield is dead. Get your data transfers sorted if they are outside of Europe (EEA) - that may include the UK very soon
In a nutshell, the judgement decided that:
With both main parties to the case (Max Schrems and Facebook) claiming victory from the result, the devil, of course, is in the detail. In a nutshell, Privacy Shield is now dead and cannot be used, but SCCs can be, provided all the underlying conditions for use of SCCs are met.
What are the implications of all this?
Well, if – as a data controller – you are not exporting data outside of the EEA (directly or indirectly), then you need not worry about it (note that the UK is neither in the EU nor EEA, and that the transition period ends on December 31, at which point it may become a third country).
If you're not exporting data outside of the EEA, you need not worry
If you are transferring data to the USA, and you are relying on Privacy Shield as your basis, then this is no longer valid and you need to seek a different solution (see Art.46).
If you are transferring data to a third country (i.e. outside of the EEA), and you are relying on standard contractual clauses as your basis, then you need to re-evaluate whether your use of standard contractual clauses actually meets all the conditions that apply to them and apply to the transfer of data.
Does your use of SCCs meet all the conditions that must apply?
What should your next steps be?
Firstly, make sure you engage the right experts. The judgement covers a fair bit of ground over its 40+ pages, and requires a good understanding of various decisions and directives of the EU. The judgement also makes clear (if it was not clear before) that it is the data controller’s responsibility to ensure that appropriate safeguards are in place prior to the transfer of any data. While standard contractual clauses are affirmed as a valid basis, they are not sufficient in their own right. Other bases should be considered too, as potentially should other technical solutions.
Engage with the right experts, and consult with your business on the changed risk landscape
Next, you must consult with your business; the judgement shifts the risk landscape, and this needs to be considered; the risk arithmetic may have an impact on business and technical strategy. Different options will present themselves, and these need to be deliberated before presenting recommendations to the business leadership. Ensure that the risk evaluations, recommendations and decisions are appropriately documented.
Then develop your plan and take action. Because the judgement, while providing new clarity on Privacy Shield and standard contractual clauses, raises questions about other areas (for example, how will data controllers assess the third country legal context for adequate enforceability of standard contractual clauses?), it will be necessary to monitor advice from supervisory authorities across the EU as further clarity is sought.
Take action, but monitor advice from Supervisory Authorities.
Article republished with kind permission from Declan Brady, ICS Vice President and data protection expert. Read his original post here.