European data watchdogs have issued updated guidance in the wake of last week’s landmark ruling striking down a flagship transatlantic data transfer mechanism called Privacy Shield.
In an FAQ on the Schrems II judgement, the European Data Protection Board (EDPB) warns there will be no regulatory grace period.
The EU-U.S. Privacy Shield is dead, and any companies still relying on it to authorize transfers of EU citizens’ personal data are doing so illegally is the top-line message.
“Transfers on the basis of this legal framework are illegal,” warns the EDPB baldly. Entities that wish to keep on transferring personal data to the U.S. need to use an alternative mechanism — but must first determine whether they can meet the legal requirement to protect the data from U.S. surveillance.
What alternatives are there? Standard Contractual Clauses (SCCs) were not invalidated by the CJEU ruling. Binding Corporate Rules (BCRs) are also still technically available.
But in both cases, would-be data exporters must conduct an upfront analysis to ascertain whether they can in fact legally use these tools to move data in their specific context.
Anyone who is already using SCCs for the transfer of EU citizens’ data to the U.S. (hi, Facebook!) isn’t exempt from carrying out an assessment — and needs to inform the relevant supervisory authority if they intend to keep using the mechanism.
The rub here for U.S. transfers is that the CJEU judges invalidated Privacy Shield on the grounds that U.S. surveillance laws fundamentally clash with EU privacy rights. So, in other words, Houston, you have a privacy problem…
“The Court found that U.S. law (i.e., Section 702 FISA [Foreign Intelligence Surveillance Act] and EO [Executive Order] 12333) does not ensure an essentially equivalent level of protection,” warns the EDPB in answer to the (expected) frequently asked question: “I am using SCCs with a data importer in the U.S., what should I do?”
“Whether or not you can transfer personal data on the basis of SCCs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place.”
The ability to use SCCs to transfer data to the U.S. hinges on a data controller being able to offer a legal guarantee that “U.S. law does not impinge on the adequate level of protection” for the transferred data.
If an EU-U.S. data exporter can’t be confident of that, they are required to pull the plug on the data transfer. No ifs, no buts.
Those who believe they can offer a legal guarantee of “appropriate safeguards” — and thus intend to keep transferring data to the U.S. via SCC — must notify the relevant data watchdog. So there’s no option to carry on “as normal” without informing the regulator.
It’s the same story with BCRs — on which the EDPB notes: “Given the judgment of the Court, which invalidated the Privacy Shield because of the degree of interference created by the law of the U.S. with the fundamental rights of persons whose data are transferred to that third country, and the fact that the Privacy Shield was also designed to bring guarantees to data transferred with other tools such as BCRs, the Court’s assessment applies as well in the context of BCRs, since U.S. law will also have primacy over this tool.”
So, again, a case by case assessment is required to figure out whether you can be legally confident in offering the required level of protection.