By: Punit Bhatia

A recent Court of Justice of the European Union (CJEU) decision has invalidated the privacy shield. This means your company’s data transfers based on privacy shield are no longer compliant with the law. Does it matter if your company were not relying on privacy shield for transferring personal data of EU residents to the U.S.? And, does it matter if your company is transferring personal data of EU residents to a third country? This article sets the facts straight and guides you on answers to questions like these.

The EU GDPR requires that personal data of EU residents be protected even when the data travels outside of the EU. To achieve this, companies were usually reliant on privacy shield as the accepted protocol when transferring personal data to the U.S. in combination with other means like Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).

Now, if you do not know about these terms, think of SCCs as a standard set of legal clauses that are inserted into contract as data was being transferred outside of EU. And, BCRs are a company’s internal rules for processing that are formally validated by an EU authority and permit a company with BCRs to transfer data within its own entities outside of EU.

What Did the Court Decide?

Based on a case filed by privacy activist Max Schrems, CJEU decided that:

  • EU standards of data protection must travel with the data when it goes overseas. This is re-affirmation of the rules in EU GDPR.
  • EU citizens do not enjoy the level of protection demanded by EU law when their data is transferred to the United States. This meant the invalidation of the EU-US Privacy Shield (also referred to as Safe Harbor agreement).

While the Standard Contractual Clauses (SCCs) were not invalidated by the CJEU ruling and the Binding Corporate Rules (BCRs) still remain technically available, the court suggested that data exporters must conduct an upfront analysis to ascertain whether they can in fact legally use these tools to move data in their specific context.

So, anyone using SCCs or BCRs for the transfer of EU residents’ data isn’t exempt from carrying out an assessment and needs to inform the relevant supervisory authority if they intend to keep using the mechanism despite assessment result delivering a negative outcome.

What Does It Mean?

This decision by CJEU has implications in the longer term like SCCs will be revised and new data transfers need to ensure sufficient safeguards over and above SCCs and BCRs. Companies are expected to take following actions:

  • Rewrite contracts or stop transfers if your company relied on privacy shield as means for transfer of personal data to the U.S.
  • Conduct an assessment and evaluate safeguards if your company relied on SCCs or BCRs. Basis assessment, if the conclusion is negative, your company takes corrective action, suspends transfers, or informs the supervisory authorities if your company chooses no action despite a negative conclusion.

It may seem that this impacts only the data transfers to the U.S. However, the fact that the court also said EU data protection rules shall travel with personal data, this can be applied across all your data transfers.

Yes, this does imply that even when you are transferring personal data to a third country, it is recommended that an assessment is conducted and appropriate actions taken (similar to situation of usage of SCCs or BCRs when transferring to US). Yes, this is significant and does create significant effort. And, let us be aware, it is in the interest of both the company exporting data and the company importing data. And this includes software vendors that maybe providing outsourcing services.

Conduct an Assessment to Protect Against Risks

The fact is that companies will be expected to conduct a detailed examination of the circumstances surrounding each transfer, the adequacy of protection in the country to which the data will be transferred, and the parties processing the data. So, irrespective of where your company exports personal data of EU resident, it is worthwhile to review and conduct an assessment to be certain that the safeguards mentioned in contractual terms are sufficient. Likely, there are some actions to make sure your company is protected against the risks.

About the Author

Punit Bhatia is an author, speaker, consultant and trainer on privacy matters. He is one of the leading privacy experts who has worked with professionals in over 30 countries. Bhatia guides business and privacy leaders on GDPR based privacy compliance through online as well as in-person training and consulting. His book, Be Ready for GDPR, is listed in all-time best books on GDPR and his podcast FIT4PRIVACY podcast is ranked number three amongst GDPR Podcasts. Bhatia is an active speaker who has spoken at 30+ global events. Bhatia is a certified Fellow in Information Privacy (FIP), COP, CIPM, and CIPP-E. He can be contacted via his social media channels, especially LinkedIn.

© 2022 IAOP® All Rights Reserved. IAOP, Certified Outsourcing Professionals®, The Outsourcing World Summit® and The Global Outsourcing 100® are registered trademarks of IAOP.