The European Court of Justice states that not only the contractual arrangements between the processor and controller should be considered, but also relevant aspects of the legal system of the third country should be taken into account. After all, there are many surveillance programs in the USA that are considered disproportionate in Europe, because they go far beyond what is strictly necessary. For example, police and security services can easily touch personal data.
The European Commission will now have to negotiate a new agreement with the USA. These negotiations will start soon. In the meantime, there are still a lot of mechanisms to share data with third countries that are still in place.
What other transfer mechanisms are there?
As a European company, you should document if you have data flows outside the EEA. Often companies think they don’t have data flows to third countries, because their data center is located in Belgium. But think of cloud storage providers, newsletter providers, etc. These are often companies located in the USA or elsewhere. These data flows are allowed if a country is found to be “adequate”, but also in subsequent cases:
- Contractual clauses:
- Standard contractual clauses:
The European Commission can decide that standard contractual clauses offer sufficient safeguards on data protection for the data to be transferred internationally. (Overview of current approved standard contractual clauses)
- Contractual clauses proposed by the company itself
If the data controller does not opt for a model contract from the European Commission, he can still draw up his own contractual clauses (ad hoc) that provide sufficient guarantees for data protection. These provisions must in principle be endorsed by the DPA and be subject to the consistency mechanism in accordance with Article 46.4 of the GDPR. This means that these provisions will have to be approved by the EDPB.
- Binding corporate rules:
- Applicable for multinationals wishing to make intra-group flows. The BCR enables companies to exchange data outside the European Union within the same group of companies, without compromising the level of protection for individuals, as guaranteed by the GDPR. BCRs must be approved by the DPA.
- The data subject has given unambiguous consent:
- When data is exchanged with a country that has not been found to be adequate, no contractual clauses are in place and binding corporate rules do not apply, data exchange may only take place if the data subject itself has given unambiguous consent for this international data transfer.
Attention!
The Court of Justice stated in its judgment that it has no problems with standard contractual clauses as such. However, the data protection authority of each country is allowed to check whether the system is strict enough to protect its data subjects. So there is still a chance that national data protection authorities will declare that system invalid as well since the legal framework of the USA remains: security services can handle a lot of information.
Time to investigate alternatives closer to home?
There are enough other methods to make international data transfer possible. But in the USA a lot remains possible for security services, so privacy cannot be guaranteed at the same level as within our European member states.
Maybe that is why now is the ideal time to investigate whether there are not more privacy friendly alternatives, for the services you are using in the USA right now, closer to home…
