e m p ow e r i n g yo u
Between a rock and a hard place: International Data Transfers Under Chapter V of the EU’s General Data Protection Regulation (GDPR) we are required to identify a legal basis for transfer of personal data outside the EU. This includes the storage of personal data on servers that are housed outside the EU’s jurisdiction A ‘legal basis’ may include an adequacy decision, the Standard Contractual Clauses (or Model Clauses), Binding Corporate Rules, and derogations such as the explicit consent of data subjects for non-regular transfers.
What has changed recently in relation to EU-US data transfers? In July of this year, the European Court of Justice invalidated Decision 2016/1250 on the adequacy of protection provided by the EU-US Data Protection Shield, without a grace period. (You may know this decision as the “Schrems II” judgment.) In simple terms, the consequence of this judgement is that data transfers between the EU and the US that rely on the Privacy Shield to provide adequate protection, no longer enjoy a legal basis for transfer if solely reliant on the Privacy Shield. The Schrems II judgment not only invalidates the Privacy Shield, it also casts doubt on the possibility of validly entering into contractual arrangements using the Standard Contractual Clauses (SCC) with data recipients in countries that may engage in surveillance practices that are incompatible with the guarantees required under GDPR standards for the protection of personal data.
14
Will anything change when the UK fully leaves the EU at the end of 2020? It is unlikely that the United Kingdom will be granted an adequacy decision in the very near future, which leaves us in a similar position when considering EU-UK data transfers. Can we rely on entering into the Standard Contractual Clauses now, post-Schrems II, to cover the EU-UK data transfers? Possibly not.
What to do next? Currently, for transfers to the United States we cannot rely on the Privacy Shield and, likely, the Standard Contractual Clauses. However, there is commentary to suggest that if you had already entered into the Standard Contractual Clauses to leave as-is, for now, but try not to enter into these agreements going forward as a stop-gap to the invalidation of the Privacy Shield. For next steps we look to the Data Protection Commission (DPC) for guidance. Currently, there is none. However according to a quote in a recent press release, “While noting the Court’s reference to the fact that a supervisory authority could not suspend data transfers while an adequacy decision - such as Privacy Shield – was in force, the DPC acknowledges the central role that it, together with its fellow supervisory authorities across the EU, must play in this area. In that regard, we look forward to developing a common position with our European colleagues to give meaningful and practical effect to today’s judgment.”
‘‘
Have you done your risk analysis?
‘‘
Do you transfer data outside the EU?
In the absence of guidance from the DPC, we can look to the European Data Protection Board for guidance. Again, there is no guidance, however according to their FAQ documents, “the...Decision imposes an obligation on a data exporter and the recipient of the data (the “data importer”) to verify, prior to any transfer, and taking into account the circumstances of the transfer, whether that level of protection is respected in the third country concerned… Whether or not you can transfer personal data on the basis of SCCs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. The supplementary measures along with SCCs, following a case by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee.”
