International Data Transfers in a Post-Privacy Shield World

Thousands of companies rely on Privacy Shield to transfer personal data between the US and the EU. Now that the European Commission has deemed this agreement insufficient, companies are asking: What do you need to do now to continue to do business?

What does the Schrems decision mean for companies?

In order to transfer data outside of the EU, you need a “means of transfer.” EU-US Privacy Shield was one of several methods serving that purpose. As part of the “Schrems II” case, on July 16, 2020 the European Court of Justice (CJEU) ruled that the adequacy decision under the current Privacy Shield was invalid. As a result, Privacy Shield can no longer be used as a data transfer mechanism.

Now, instead of relying on a central agreement managed by the Federal Communications Commission, companies must create and confirm their own agreements with each and every vendor and data partner involved with the use or sale of personal data.

What transfer mechanisms are currently allowed under GDPR?

Binding Corporate Rules:

Similar to the ISO standard or SOC compliance, Binding Corporate Rules provide a stamp of approval that certifies the protection of personal data. However, operationalizing Binding Corporate rules can be too expensive and time consuming for many organizations.

Article 49 derogations in GDPR:

Based on the immediate enforceability of the Schrems decision, the CJEU identified that the Article 49 derogations in GDPR can be used to permit transfers of personal data between the EU-US.

  • the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards
  • the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request
  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person

Standard Contractual Clauses (SCC):

Standard Contractual Clauses are another of the means of transfer mechanisms allowed under GDPR. Including SCCs in your agreements with data partners helps you document how personal data will be protected. These clauses are non-negotiable, meaning that they cannot be edited and must be included within agreements in their entirety.

What should I do to make sure my data transfers are compliant with GDPR?

The most important thing for companies to do now is to get a handle on your current data privacy processes. To do this, you will need to fully understand what personal data your organization collects and processes, where personal data resides, who has access to it, where it comes from, and the structure of your current agreements with partners involved in your data ecosystem.

Once you know where you stand, you can make changes if needed to demonstrate good data stewardship and build trust with international partners. You may need to revamp contracts with partner organizations, change product design plans, or transform business processes.

How should I work with my data partners?

It’s important to operationalize all of your privacy agreements to ensure they reflect one of the approved mechanisms for data transfer. Inventory all of your vendor agreements that impact personal data and make sure they include appropriate privacy safeguards. If not, you will need to renegotiate them with your data partners.

To prove compliance, you must be able to show that you have done your due diligence and followed up on all vendor agreements. Look into your vendors’ privacy practices to make sure they are managing personal data as agreed.

How can automation help me maintain compliance?

Doing all of these things is a heavy lift if you do it manually. Privacy management platforms help to automate Privacy Impact Assessments and vendor assessments that document your data transfer processes, as well as map the data flows that show which data is transferred.

What policy changes that impact data transfers should we expect next?

The CJEU ruled that the adequacy decision under current EU-US Privacy Shield program was invalid. This appears to have left a door open for an updated version of Privacy Shield to be considered in the future.

Privacy experts anticipate a long road for policy changes ahead as all countries struggle to determine how to define and measure “adequate” privacy protections.

 

Stay tuned for more updates and recommendations as the impact of the Schrems decision continued to unfold.