Definition: Déjà EU, the feeling that the EU has done this before.
Earlier today (July 16th 2020) the European Court of Justice (ECJ) invalidated “Privacy Shield”, a mechanism which allowed companies to freely transfer personal data pertaining to their clients and employees from Europe to the US. It is not the first time this happens, the previous mechanism (Safe Harbor) was invalidated in October 2015 and resulted in a substantial bit of disruption.
What was Privacy Shield?
Privacy Shield was one of three mechanisms that provided an adequacy ruling for companies to transfer personal information from the European Union to the United States. Companies could easily self-certify on the privacy shield website, a program run by the U.S. Department of Commerce, and receive personal information from their clients or subsidiaries in the EU.
What alternatives exist to privacy shield?
- EU Standard Contractual Clauses (SCCs): these are standard contracts that are available on-line and that can be executed between the European entity (the data exporter) and the U.S. entity (the data importer). SCCs bind the importer to European requirements when handling personal data in scope.
- Binding Corporate Rules (BCRs): these are global data handling policies for multinational organizations that bind them to the processing of personal data in-line with European law. BCRs go through a rigorous approval process within EU regulatory bodies and can often take upwards of two years to complete. Once in place, they allow organizations to freely move personal data across their businesses without data residency constraints.
Does this matter to my organization?
Transferring personal data to the US may not seem part of your business, but just using US based cloud services, such as email, HR systems or CRM / ERP platforms is considered transfer.
What should I do if I’m using US providers to handle European personal data?
- Assess which services / transfers come within scope.
- Review contractual agreements to check if they included SCCs – Gartner has long recommended that organizations employ supplementary or alternative transfer mechanisms as Privacy Shield has been in danger of invalidation since it was not drastically different from its predecessor (see Practical Privacy — Four Fundamental Use Cases for International Data Transfers)
- If the transfers are within subsidiaries of the same parent company, check if the organization has implemented BCRs.
- If Privacy Shield was the only mechanism in place, the fastest alternative most organizations choose is execution of SCCs between the European entity (the data exporter) and the U.S. entity (the data importer).
- In the event where the provider has the ability to transfer hosting to European servers, this would alleviate the need for any contractual changes as European data would not exit the EU. Note: even though the UK is still part of the EU. Transferring hosting from the US to the UK would only delay the need for an alternative mechanism till the BREXIT transition period has elapsed (December 31st 2020).
What should I do if I’m a provider in the US serving European customers?
As a service provider, if you have implemented SCCs in your contractual agreements, this would provide an alternative transfer mechanism. Many service providers in the US started including SCCs in contract addenda with the advent of the GDPR. If there are older contracts where these addenda were not included, these should be amended immediately.
If Privacy Shield was the only mechanism in place, this would potentially mandate the processing of SCCs with all European clients.
This guest post was provided by Nader Henein.