As the sun sets on an era where personal data could freely transfer between the EU and USA under Privacy Shield (and it's predecessor Safe Harbor), what does the Court of Justice of the European Union's ruling on the 16th July that Privacy Shield is no longer sufficient to protect personal data mean for your business?
Under the GDPR, the transfer of personal data to countries outside the EU (known as third countries) if there is an adequate level of data protection.
Such protections are;
- An Adequacy Agreement (such as the UK seeks as we exit the EU)
- Standard Contractual Clauses
- Binding Corporate Rules
- an allowed "Exception"
Most businesses will rely on some form of contractual clauses however many took the easy route and stipulate that as the recipient of data sent from the EU to the USA were part of the Privacy Shield scheme, this permits the lawful transfer of data.
As of the 16th July 2020, that no longer applies!
To lawfully continue to transfer EU personal data to a USA recipient, you must have in place Standard Contractual Clauses (SCC's), Binding Corporate Rules ('BCR's) or an allowable exception.
The CJEU ruling, which invalidated Privacy Shield, also set a new burden on those who wish to use SCC's as they must now also consider the laws and practices of the country to which the data is transferred, and pay particular attention to those where it is possible that other unintended recipients may be granted access to data or have that data shared with them.
What do you need to do?
- If your business already has Binding Corporate Rules or Standard Contractual Clauses in place between you and the providers in the US, these remain in force and effective, but you should review them to ensure they adequately meet your own standards of security and data protection.
- Keep an ear on guidance from the European Data Protection Board, the Information Commissioner's Office and professionals like ourselves.
- Develop a "due diligence" process towards determining the basis upon which you will facilitate an international data transfer. (you can download our quick assessment checklist on this page)
- Consider what you believe to be adequate security and protection and review suppliers to ensure they meet those requirements.
- Review what data you currently send to the USA and put in place Standard Contractual Clauses (or Binding Corporate Rules is within the same corporate group)
- Update your Privacy Policies to reflect these changes
Many providers have already started, or have put in place additional Data Protection Agreements as part of their terms of business. You should ensure you have current copies of these, are happy they meet your criteria for adequate safeguards and they are stored with your compliance documentation.
You will also need to communicate to anyone whose data you have already transferred, or who you intend to transfer that you are transferring data to the USA and that this is done based on new terms, giving them the appropriate opportunity to object or consent to this new process.
If you are at all unsure about whether your use of cloud services, or sending of data to or through the USA is lawful, contact one of our experts who will be more than happy to review service agreement and advise you accordingly
Download our International Data Transfer Assessment Checklist
We're more than happy to share this document from our comprehensive GDPR documentation toolkit for free, but we'd like ask for a few details from you just so that we can follow up with you in a few days to check how you're getting on, and also keep you updated with all the latest news and information around Privacy, Data Protection and Information Security.
To download the template, complete the form here and click submit. The download should start automatically.