23/07/20 – If you, as a ‘data exporter’, want to transfer personal data to a country outside the EEA (and which is not one of the 12 countries that have been granted an adequacy decision by the European Commission), then you need to use one of the GDPR-approved ‘transfer mechanisms’. What’s happened?
For transfers of personal data to the US, one of the main transfer mechanisms was the EU–U.S. Privacy Shield, a framework which enabled Privacy Shield-registered U.S. companies to receive personal data from EU entities. But that came to an abrupt end on 16th July 2020, when in its judgment in the ‘Schrems II’ case the Court of Justice of the European Union declared the Privacy Shield invalid with immediate effect. The CJEU’s position was that the Privacy Shield did not provide EU citizens with a level of protection essentially equivalent to that afforded by EU law and systems, particularly having regard to the lack of oversight of U.S. law enforcement agencies accessing EU citizens’ personal data, particularly under Section 702 of the Foreign Intelligence Surveillance Act (FISA), Executive Order 12333, and Presidential Policy Directive 28.
Ah, ok. Anything else I need to know?
Well, funny you should ask. Following the invalidation of the Privacy Shield, the only remaining real option for most companies which want to transfer personal data to countries which are neither in the EEA nor have the benefit of a European Commission adequacy decision (so-called ‘third countries’) is to use the Standard Contractual Clauses (SCCs). But as if ripping up the Privacy Shield wasn’t enough, the CJEU also made it clear that SCCs must not be used as a ‘quick fix’ to legitimise transfers of personal data to a non-EEA country, but instead data exporters must, prior to using SCCs, carry out an assessment of the level of protection afforded to EU data subjects in the third country. The assessment must be carried out not only by reference to the terms of the contract between the data exporter and data importer (i.e. the SCCs), but also “as regards any access by the public authorities of that third country to the data transferred, [and] the relevant aspects of the legal system of that third country”. If the assessment determines that EU data subjects would not benefit from a level of data protection “essentially equivalent” to the protection that data subjects have in the EEA, then the data exporter should identify and implement “supplementary measures … in order to ensure compliance with that level of protection”.
So what do I need to do?
- If you have been relying on the EU-U.S. Privacy Shield to legitimise your transfers of personal data to an organisation in the U.S., then you must immediately stop the transfers until you have put in place a new transfer mechanism. This is most likely to be SCCs, but…
- Prior to using SCCs, you will need to carry you an assessment of the country to which you are proposing to export personal data (a ‘Transfer Impact Assessment’ or ‘TIA’) and, if you determine that the third country does not provide a level of protection for the personal data which is “essentially equivalent” to the EEA, then you must put in place “supplementary measures” to compensate for any shortfalls.