When the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield as a vehicle to transfer personal data from the EU to the US, last July 16, 2020, the obvious question was: “What is the transition period?” The answer is now coming from EU Data Protection Authorities in Europe: there is none. This is what companies who used to rely on the EU-US Privacy Shield should do now to bring their cross-border personal data transfers in line with European law:
- Reassess all transfers currently occurring under the EU-US Privacy Shield to determine the appropriate legal basis for further transfer performing “data export impact assessments”, meaning, in accordance with the decision of the CJEU, assessing the specific risks of transfer to a specific country of destination and/or through a specific data importer. The test is stated at Article 44 of the GDPR that “the level of protection of natural persons guaranteed by the Regulation is not undermined.”
- Negotiate Standard Contractual Clauses (SCCs) to govern the transfer of personal data between organizations or develop Binding Corporate Rules (BCRs) for the transfer of data among affiliates of one organization, or use individual consent where it is applicable. For example, in e-commerce, while it is not ideal, some companies may want to consider the practicality of subjecting a transaction to express consent to cross-border data transfer.
- Obtain warranties from the organizations receiving EU data (the data importers) under SCCs or verify, in relation to their own BCRs, that they are not precluded by local law to comply with SCCs and BCRs, such as through State interference with personal data, allowed by law, in the country of destination.
- internal guidelines for their contract staff to limit cross border data transfers to countries where the SCCs or BCRs are not undermined by local law on State access to personal data;
- apply technological safeguards, as well as guidelines for their implementation, to allow only legitimate State access to personal data for public safety reasons.
The European Data Protection Board (EDPB), the body created by the GDPR to “ensure the consistent application of the Regulation” is currently examining what supplementary measures – whether legal, technical or organizational measures – could be applied to transfer data to third countries where SCCs or BCRs would not provide the sufficient level of guarantees, on their own, in view of the law of the country of destination.
While guidance is being developed, organizations are still expected to address the legal basis for transfer of personal data formerly under the EU-US Privacy Shield, immediately.
Dentons is preparing material to assist its clients in this regard. We encourage you to seek advice from your privacy counsel to ensure compliance in cross border personal data flows.