Out-Law Analysis 3 min. read
11 Aug 2020, 10:16 am
There are contractual and technical security measures businesses should consider to minimise privacy risks that arise when transferring personal data from the EU to the US and other jurisdictions outside the European Economic Area (EEA). They are ad hoc measures that can bolster existing safeguards identified as having flaws by the EU's highest court.
The Court of Justice of the EU (CJEU) ruled last month to invalidate a European Commission decision that adopted the EU-US Privacy Shield – a framework set up to help businesses transfer personal data across the Atlantic in a way which complies with the requirements of EU data protection law. EU data protection regulators have subsequently confirmed that there is no grace period for businesses to move away from relying on the Privacy Shield for compliance on EU-US data transfers.
Even more significantly, however, the CJEU cast doubt on the ability of businesses to rely on standard contractual clauses (SCCs) – the most popular mechanism for providing data protection law-compliant safeguarding around data transfers from the EU – for EU-US data transfers and for transfers to other jurisdictions with known invasive surveillance regimes, without countervailing safeguards in place for individuals whose data will be transferred.
Jonathan Kirsop
Partner, Head of Technology, Media, and Telecoms
Although the position is still evolving, doing nothing is not an option for businesses. There are actions businesses can consider to minimise their compliance risks
In its judgment in the so-called 'Schrems II' case, the CJEU highlighted shortcomings with the safeguards in place to counteract US legislation that gives US law enforcement and intelligence agencies powers to request and access data. This risk arises where the recipient of data transferred from the EU is subject to the Foreign Intelligence Surveillance Act (FISA) in particular. FISA covers activities of so-called electronic service providers – a term that covers a wide range of companies including technology giants such as Microsoft, Facebook and Amazon Web Services.
The outcome of the ruling is that businesses that have been reliant on the Privacy Shield must immediately find other legal mechanisms to underpin their EU-US data transfers, or risk potential enforcement action, and that businesses turning to or sticking with SCCs – and indeed other data transfer mechanisms such as binding corporate rules (BCRs) – must conduct due diligence to understand the risks of foreign surveillance regimes and put in place any additional safeguards necessary to meet their obligations under EU data protection law if their assessment is that SCCs alone do not ensure adequate data protection for the transferred data.
There is a lack of clarity – at this stage – on what exactly any 'additional safeguards' should comprise of and what additional clauses can be put in place to ensure there are adequate safeguards when supplementing SCCs. The European Data Protection Board (EDPB), which brings together national data protection authorities from across EU member states, has promised guidance to help on this, while the European Commission is in the process of updating the existing SCCs.
Although the position is still evolving, doing nothing is not an option for businesses. There are actions businesses can consider to minimise their compliance risks: