Next Steps for EU/EEA companies who transfer personal data to US or other non EU/EEA based partners
Legal News August 2020
The Court of Justice (CJEU) has made the judgment on Thursday 16 July 2020 and has examined the validity of the Standard Contractual Clauses (SCC) and the validity of the Privacy Shield Decision with respect to transferring the data between the EU/EEA and the United States (Decision 2016/1250, EU-U.S. Privacy Shield) and declared, that the Privacy Shield is invalid.
This judgment concerns not only data transfers to USA, but in general, for transfer data from the EU/EEA to any third country who has not an adequacy decision.
What does it change for the companies, who transfer personal data to the USA and other non EU/EEA countries? The main point, that all organisations should take appropriate and decisive steps to confirm that data transfers under their responsibility comply with the GDPR and the Judgment of the CJEU. In accordance with the European Data Protection Board (EDPB) opinion on this CJEU judgment we have made our preliminary recommendation to all EU controllers or processors who transfer personal data to a non-EU/EEA organisation:
Step 1: Review all your data processes and external data flows to third countries and conduct Data Transfer Assessment;
Step 2: Identify the relevant legal basis for transferring personal data – whether the legal ground is adequacy decision, Binding Corporate Rules or Standard Contractual Clauses;
Step 3: If you or your partner, to whom you share your client’s data (data processors) transfer data on the base of the Privacy Shield you should stop data transfers because the court has decided, that transfers on the basis of Privacy Shield are illegal. You should ensure coverage under another safeguard such as Standard Contractual Clauses or other legal ground provided by GDPR.
Step 4: Use the Standard Contractual Clauses for transfers to any non-EU/EEA partner and before you start to transfer the data make “case by case” analysis if there are any national laws that violate the GDPR. Please be aware, that non-EU/EEA partners who cooperate in any respect with US authorities conducting surveillance of communications (electronic communication service providers) are not compliant with EU law. In paragraph 183 of C-311/18, the CJEU also found that US surveillance “in transit” (like “Upstream” or taps of the underwater cables) violate EU fundamental rights.
Step 5: If you use the Standard Contractual Clauses for transfers to any non-EU/EEA partner request additional information from non-EU/EEA partner to make sure that you have all legal instruments to exercise control of data you transferred.
A transfer to a third country means that personal data processed about individuals in the EU or EEA country is made accessible to a company outside the EU/EEA. It is permitted to transfer personal data to the companies based on non EU/EEA country only of this country provides an adequate level of data protection.
If you are making a data transfer outside the EU/EEA, then you need to know whether it is covered by an EU Commission “adequacy decision”. At this moment EU Commission has determined that the following countries have an adequate level of protection: Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. The Commission has made partial findings of adequacy about Japan and Canada. If data transfer is covered by an adequacy decision, you may go ahead with the transfer to this country. Of course, you must still comply with the rest of the GDPR.
If there is no ‘adequacy decision’ about the country, territory or sector for your restricted transfer, you should then find out whether you can make the transfer subject to ‘appropriate safeguards’, which are listed in the GDPR. One of the appropriate safeguard permitted by GDPR is Standard Contractual Clauses (SCC) adopted by the EU Commission or Binding Corporate Rules. If you use the SCC you have to analyses the local laws in the data recipient country and make sure, that this national laws are not violating data subject’s rights and other GDPR requirements.
It sounds overwhelmed, but there is no chance for a “grace period” in case of EU-US data transfers and the Court has invalidated the Privacy Shield Decision without maintaining its effects. Transfers on the basis of Privacy Shield are illegal and if you wish to keep on transferring data to the U.S. you have to check whether you can do so under other legal ground provided by GDPR. Data Protection Inspectorate has a power to prohibit data transfers when you have lack a valid legal instrument for a transfer.