This note aims at presenting answers to some frequently asked questions (FAQs) about international (cross-border) transfers of personal data after the decision of the Court of Justice of the European Union (CJEU) on 16 July 2020.
What did the Court rule about Privacy Shield?
The Court said that the ability of US law enforcement authorities to access, for national security purposes, personal data transferred from the EU resulted in limitations on the protection of personal data which are not equivalent to those required under EU law. As a consequence, the Court declared Privacy Shield invalid.
Are transfers of data to the US under Privacy Shield still possible?
Depends – on which regulator you listen to. Most say ‘no’ and that all transfers on the basis of Privacy Shield are now illegal.
However, in the UK the ICO has stated that organisations currently using Privacy Shield can continue to do so until new guidance becomes available. This aligns with the U.S. Department of Commerce’s position, which has also confirmed it will continue to administer the Privacy Shield program and even continue processing applications.
This may be an indication of things to come with respect to transferring personal data to the US from the UK, post completion of ‘Brexit’.
Is there any grace period?
No. The Court has invalidated Privacy Shield Decision on 16 July 2020.
What did the Court rule about Standard Contractual Clauses?
The Court said that Standard Contractual Clauses (“SCCs”) are still valid, but that validity depends on whether there are effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection essentially equivalent to that guaranteed by the GDPR.
Are transfers of data to the US using SCCs still possible?
Yes, but whether or not you can continue to transfer personal data on the basis of SCCs will depend on the result of an assessment, on a case- by-case basis, taking into account the circumstances of the transfers and any additional measures that could put in place.
If you come to the conclusion that, taking into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards cannot be ensured, you are required to suspend or end the transfer of personal data. However, if you are intending to keep transferring data despite this conclusion, you must notify, (in the UK), the ICO.
Are transfers of data to the US using other means possible?
Yes, but these are suitable for use only in limited circumstances and only when the transfer is occasional. It would have to be established on a case-by-case basis whether data transfers are occasional or not. Derogations are not appropriate for routine/regular or large-scale transfers.
Are transfers of data to other countries using SCCs still possible?
Yes, however the threshold set by the Court for transfers to the US also applies for all other countries. In other words, the same considerations apply, no matter which country data will be transferred to.
What about transfers of data by another organisation acting as a data processor?
Where processing is to be carried out by a third-party data processor the controller can use only processors providing sufficient guarantees to implement appropriate measures that the processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subjects.
Therefore, a data processor should not transfer data to the US or any other country without making an assessment, on a case- by-case basis, taking into account the circumstances of the transfers and any additional measures that could put in place.
What about transfers of data by another organisation acting as a data sub-processor?
A GDPR-compliant contract with a data processor effectively means that authorisation has to be provided before sub-processors can transfer data to third countries.
What about the Cloud?
Organisations should be aware that a large number of cloud computing solutions in reality provide for or permit the transfer of personal data to a third country.
What about data storage in the UK or EEA?
It should be remembered that even providing access to data from a third country, for instance for administration purposes, also amounts to a transfer.
Are there any other options?
The EDPB says “If no suitable ground for transfers to a third country can be found, personal data should not be transferred outside the EEA territory and all processing activities should take place in the EEA.”
Who has a responsibility?
The Court said that there is an obligation on both the sender of the data (the ‘data exporter’) and the recipient of the data (the ‘data importer’) to verify, prior to any transfer, whether the level of protection in the recipient country is adequate.
In addition, there is a duty on the data importer to inform the data exporter of any inability to comply with the standard data protection clauses, (the data exporter then being obliged to suspend the transfer of data and/or to terminate the contract with the data importer).
What should organisations do now?
Organisations should identify all instances where personal data is being transferred in reliance of Privacy Shield and/or SCCs.
What happens next?
The ICO and/or the EDPB will (hopefully) provide further guidance.