Privacy Shield, on the transfer of data from the EU to the US, can no longer be used

Two important EU events last week are creating significant problems for European companies. First Competition Commissioner Margrethe Vestager major Apple defeat on EU Tax Agreements and then EU court ruling that the official basis for data transfers to the US was invalid.

It has not been boring to be a GDPR consultant, supplier, or lawyer for the last 2-3 years. Since the very complex ruling of the European Court of Justice last week, which invalidates the EU-US Data Privacy Shield, on the transfer of data from the EU to the US, several companies have been confused. The court’s decision is significant enough to require the attention of the company’s top management, and the strategic decision on the company’s risk tolerance for data transfers in the future.

Adequate documentation, action plans and safety measures

The ruling raises more questions than answers, however, whether the companies on both sides of the Atlantic use Privacy Shield or Standard Contractual Clauses (SCC) as a basis for transferring personal data to the US, management must decide and document how the company will respond strategically in the future and develop an action plan based on their risk profile.

The extent of data transfers

Companies need to ensure that adequate documentation, action plans and security measures regarding. data transfers are in place.

The decision alone will not have an immediate impact of approx. 5,500 US companies that were dependent on the Privacy Shield but also other companies that have been quite sceptical about using frameworks such as Standard Contractual Clauses (SCC) as the only guarantee for data transfers.

EU-US deals with SCC

The 97-page legal opinion states that US surveillance programs did not mean that standard contract terms could not be used in the future, which is currently used by more than 100,000 companies to share data with the United States.

Consequences of the decision may have the following ten outcomes or options:

1. EU data will still flow to the US, more or less precisely as before. Nobody will turn off the internet due to the verdict.
2. Expect offering for pre-signed SCCs for immediate counter-signature from vendors
3. US vendors that solely relied on the Privacy Shield as a transfer framework should promptly move over to SCCs.
4. Consider the establishment of regional data centers or make significant changes in how data is processed
5. Expect increased litigation from, e.g. consumer organisations
6. The verdict will probably trigger reciprocity from some countries that want their data to be stored in their own countries with possible needs for new regionalised data centers
7. Added interest for establishing EU data centres from US vendors without a US dial-in for development or customer support
8. Enterprise customers will insist on SCCs for future vendor deals. They will review legacy contracts to move existing vendors reliant on Privacy Shield over to SCCs,
9. Expect added business resentment on deals if US vendors cannot provide assurances or commitment and compliance to SCC commitments
10. EU Commission and the EDPB should quickly produce a sustainable solution for data transfers – either with an SCC update or a framework for processor-to-processor transfers.

Invest more to find solutions

The GDPR also requires companies to assess the ‘granularity’ of each data transfer set, which will be extremely cumbersome and time-consuming. The top European regulator will undoubtedly provide the guidelines and framework needed for companies to rely on data transfer. In contrast, larger companies will invest more to find solutions; more small businesses crucial to the success of Europe’s digital economy would be injury suffering.

The ruling also carries a price tag and has an impact on small and smaller start-up tech companies that rely on global data transfers. The ambition to develop European growth in the digital space would, with this added burden on international data transfers, create uncertainty about EU tax treaties and not enhance Europe’s ambition to lead the world in the digital economy with artificial intelligence and data sharing.

The verdict requires careful consideration in the coming days and weeks. On the one hand, we need to honour the Schrems II decision, but on the other hand, limit the negative consequences of protecting transatlantic trade worth $ 7.1 trillion and the added uncertainty surrounding the possibility of using Standard Contractual Clauses ( SCC) for data transfer to the United States.

https://edpb.europa.eu/sites/edpb/files/files/file2/dk_sa_standard_contractual_clauses_january_2020_en.pdf

Flowchart: data overførelser I Brexit kontekst kan evt. bruges: file:///C:/Users/bruger/OneDrive%20-%20e-Compliance%20Academy/Newsletter/July%202020/EDPS%20Data%20Transfers%20Under%20Brexit.pdf