With European Union courts ruling the EU-US Privacy Shield “invalid,” many companies with European operations are left wondering what steps they need to take to remain compliant with EU data protection laws. With the courts struggling to find a clear path forward for companies, it’s important to ensure your business is compliant with current EU legislation in order to minimize your risk.
What happened and how did this all get started? #
The European Union is at the forefront of personal data privacy, including enacting GDPR among other legislation aimed at protecting individuals’ privacy rights. Included in that is EU Data protection legislation that prohibits the transfer of personal data to countries outside the European Economic Area (EEA), except under very specific criteria. The receiving country must provide an ‘adequate’ level of protection for personal data or ensure there were ‘appropriate’ safeguards in place to protect this data.
Unfortunately, terms like ‘adequate’ and ‘appropriate’ are very gray-area terms and very difficult to quantify in legal situations.
The EU-US Privacy Shield is a government-negotiated framework for providing a mechanism to safeguard personal data en route between the EU and the US. Companies that complied with the Privacy Shield could then transfer personal data under full compliance with EU laws.
However, in July 2020 the European Union Court of Justice – the equivalent of the US Supreme Court – ruled that the EU-US Privacy Shield was invalid. The court determined that the Privacy Shield transfer mechanism does not comply with the level of protection required under EU law. Thus, corporations transferring data from the EU to the US as part of their normal business operations and interactions with customers, vendors or subsidiaries could no longer claim compliance with EU data transfer regulations based on their participation in the EU-US Privacy Shield.
What do I do now to transfer data and remain compliant? #
Our recommendation is that, to remain compliant with the ‘appropriate safeguard’ component of GDPR, companies should use Standard Contractual Clauses (SCCs) to outline the need and rationale for the transfer, the protection mechanisms in place to protect the data prior to, during and post-transfer, and consent and understanding from both parties. Standard Contractual Clauses are specific contractual clauses, laid out by the European Commission, that were in existence prior to GDPR and the Privacy Shield. By following the clauses approved by the European Commission, your company should remain compliant with EU law, as the invalidation of Privacy Shield should revert legislation back to its predecessor. You can find the SCCs here.
EU law also allows for certain circumstances where data can be transferred out of the EU without being subject to the adequacy or appropriate safeguard regulations. These circumstances include:
- Exception 1: The individual has given his or her explicit consent to the restricted transfer.
- Exception 2: You have a contract with the individual and the restricted transfer necessary for you to perform that contract, OR you are about to enter into a contract with the individual, and the restricted transfer necessary for you to take steps requested by the individual to enter into that contract.
- Exception 3: You have (or are you entering into) a contract with an individual which benefits another individual whose data is being transferred, and that transfer necessary for you to either enter into that contract or perform that contract.
- Exception 4: You need to make the restricted transfer for important reasons of public interest.
- Exception 5: You need to make the restricted transfer to establish if you have a legal claim, to make a legal claim or to defend a legal claim.
- Exception 6: You need to make the restricted transfer to protect the vital interests of an individual. He or she must be physically or legally incapable of giving consent.
- Exception 7: You are making the restricted transfer from a public register.
- Exception 8: you are making a one-off restricted transfer, and it is in your compelling legitimate interests.
One final consideration is the impact of “Brexit.” The UK will continue to follow the EU data privacy legislation until 12/31/20. After that day, the UK General Data Protection Regulation becomes effective.
Final Considerations #
Poorly-worded legislation has led to a potential nightmare for US companies with EU operations. Without clear guidance or direction from governing bodies, companies are left attempting to navigate this minefield on their own. You don’t have to do this – there is a path forward, following our recommendations:
- Be certain to have Standard Contractual Clauses (SCCs) in each of your Data Processing/Protection Agreements. This mechanism makes it possible in practice to ensure compliance with the level of protection required by EU law.
- Update your Privacy Policy to reference these clauses rather than the EU-US Privacy Shield references that Management relied on previously.
- Assess your internal security design and operating effectiveness for controls over the receipt, processing (including data transfers within the organization as well as with external parties) and storing to ensure that data owners are adequately protecting sensitive, regulated data, such as personally identifiable information.
If you have any questions about this article or other security and privacy-related inquiries, please contact us at info@auditliaison.com or 800-741-2050.
