The privacy shield was a legal mechanism by which a UK/EU/EEA based company could transfer data to the USA. Switzerland had its own version. This was necessary because the US did not qualify as a “safe” country in the eyes of the EU. In June 2018, a case (known as Schrems II) was heard in the European Courts of Justice and in July 2020 a judgment was made. This was the highest court and there is no appeal. The judgment basically struck down the Privacy Shield as a mechanism to enable the legal transfer of data to the US.
If you use a software provider in the US this will probably affect you. It means that if you were relying on the Privacy Shield as your way of showing that data being transferred to the US is legal you can no longer rely on this.
So what are my options?
There is another mechanism known as the “Standard Contractual Clauses”. These are published by the EU and can form part of an agreement (you may add to them but not remove or negate any of the clauses) with your Processor/Supplier. However there is another aspect to consider here. The same judgment mentioned above said that as well as the Standard Clauses a level of consideration needs to be given to whether or not the local laws may conflict with the rights accorded to citizens by the GDPR. This makes using a US processor difficult as the US has laws allowing the warrantless mass surveillance of all the data of non-US citizens with little redress. It also raises the prospect of you needing to analyse the local laws of any country that is not either EU/EEA or regarded as “safe” by the EU where you transfer data to.
You should also bear in mind that if you use standard clauses you need to satisfy yourself that your processor is not in turn using processors which are not adequately covered.
Where you do rely on these as well as if you plan on using these you need to undertake a risk assessment for each one.
Last but not least:
There are some derogations in the GDPR that you can consider using but they are far from an easy solution and are difficult to justify or manage.
As a small to medium sized company or third sector you probably do not want to spend vast sums of your own time or money getting lawyers and/or data protection professionals to analyse your contracts. In practical terms it may be easier and/or cheaper to just move to an EU or “safe” country based provider. It may be that your current provider has already or will set up an EU based centre, but you still need to ask yourself if the US government can still access this. You may need to take steps to configure your service so that your data does not go to unsafe countries.
Can I rely on technological safeguards?
It is acceptable to take steps to ensure that if the data is being transferred to an unsafe country it is not accessible by that state. For instance if you use a cloud storage solution you could use an encrypted data store on that in which to keep your files. However this is not so easily achieved or even possible with things like Email or application hosting.
Do I need to act now?
The European Data Protection board of the EU has now said there was no grace period extended by the court so technically now all personal data transfers that did rely on the Privacy Shield are now Illegal.
Different EU regulators are still looking into the implications but at least one has decreed that any transfer relying on the privacy shield is now essentially breaking the law and has advised that companies remove the data.
As ever minimising the data you do process can only help. If you have no legitimate reason to have it, delete it.
Look at all the suppliers you currently use and identify those where you do rely on the Privacy Shield (USA) or Standard Contractual Clauses. You do not need to worry about suppliers based in the EU/EEA or Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay. The UK is regarded as still in the EU for this purpose. These are regarded as safe countries and no action is needed.
To sum it up: Where you are relying on the privacy shield, you need to consider remedial action:
1) Does your supplier have an alternative provision site in a safe country?
2) Can I use technology to help? – i.e is it encrypted to a degree where it cannot be accessed by anyone but you.
3) Can I use a different provider that is based in a safe country?
4) Do I need it at all? – e.g have I got redundant storage?
If you would like to know more or have any particular concerns please contact me here or email me at firstname.lastname@example.org