The European Court of Justice decision in the case of Schrems II invalidating the EU/US Privacy Shield has sent shock waves through the business communities. With little guidance as yet not forthcoming and with no transition period indicated by the European Data Protection Authorities, companies that have data processing partners / service providers are advised to prepare as soo as possible. Here is our three point plan to help you.
Affected companies should not remain inactive and review their data transfers to such third countries based on the following guidance. Measures taken in this context should be documented for verification purposes.
As a first step, it should be examined which US data importers rely on the invalidated EU-US Privacy Shield. For this purpose, one essentially needs to have a look at the commissioned data processing agreements pursuant to Art. 28 GDPR with the corresponding contractual partners (i.e. data processors pursuant to Art. 4 no. 8 GDPR). Further, the processing of personal data between two data controllers (Art. 4 no. 7 GDPR) can also be affected. Finally, it should be examined whether data processors based in Germany, the EU and the EEA have in turn engaged sub-data processors in the US. Here as well, it should be examined whether these sub-data processors rely on the EU-US Privacy Shield.
As a second step, the US data importers (i.e. data processors and data controllers) should be identified for which data transfers are based on another guarantee under Art. 46 GDPR, e.g. EU Standard Contractual Clauses and Binding Corporate Rules.
As a third step, the US data importers identified under steps 1 and 2 should be contacted with the request to explain to what extent US authorities can access the personal data transferred. In this context, the US data importers should particularly state whether they fall under the regulations discussed by the CJEU – i.e. 50 US Code § 1881a (Section 702 of the US Foreign Intelligence Surveillance Act [FISA]) – or whether they make personal data available to US authorities under Executive Order 12.333 or other US regulations with comparable objectives (e.g. the US Cloud Act).
Depending on the outcome of the statement, it then needs to be decided whether
■ the data transfer can be maintained in its current form;
■ the data transfer can be secured by additional safeguards, which are likely to be technical measures, such as effective encryption as opposed to merely contractual arrangements; or
■ the personal data needs to be retrieved.
In any case: If the EU-US Privacy Shield has so far been the sole basis for the data transfer, a switch to other appropriate safeguards in accordance with Art. 46 GDPR is mandatory.
IMPORTANT: The CJEU in its judgment „Schrems II”, the European Data Protection Board (EDPB) in its FAQ dated 23 July 2020 as well as the German “Datenschutzkonferenz” (DSK) in its press release dated 28 July 2020 have clearly stated that data exporters need to check the level of data protection in the recipient country on a case-by-case basis and (if necessary) provide supplementary safeguards. This requirement is not limited to the US, but applies to all third countries, such as India, China and soon (from 01 January 2021) also the UK. As it is repeatedly made clear by data protection supervisory authorities, there is no transitional period. Therefore, the above-mentioned three steps should be implemented promptly.
Relentless Privacy and Compliance Services provides expert guidance and services for clients worldwide.