Privacy Shield no longer valid. These are the alternatives.
Data exchange with the USA was allowed, because the USA is considered “adequate”, but not anymore… On the 16th of July 2020, the European Court of Justice declared the so-called ‘Privacy Shield’ agreement between Europe and the USA invalid. This ruling was made because the data of Europeans in the USA would not be sufficiently protected. But are there alternatives to share personal data with the USA?
What is the Privacy Shield?
The Privacy Shield is an agreement between Europe and the USA. It imposes rules for U.S. companies that process European personal data. Some requirements are for example:
- Having a complaints procedure
- Applying the principle of data minimization
- Strict conditions for data transfer to third parties
- Be transparent about what you do with the data
Until that 16th of July…
The European Court of Justice states that not only the contractual arrangements between the processor and controller should be considered, but also relevant aspects of the legal system of the third country should be taken into account. After all, there are many surveillance programs in the USA that are considered disproportionate in Europe, because they go far beyond what is strictly necessary. For example, police and security services can easily touch personal data.
The European Commission will now have to negotiate a new agreement with the USA. These negotiations will start soon. In the meantime, there are still a lot of mechanisms to share data with third countries that are still in place.
What other transfer mechanisms are there?
As a European company, you should document if you have data flows outside the EEA. Often companies think they don’t have data flows to third countries, because their data center is located in Belgium. But think of cloud storage providers, newsletter providers, etc. These are often companies located in the USA or elsewhere. These data flows are allowed if a country is found to be “adequate”, but also in subsequent cases:
- Contractual clauses:
- Standard contractual clauses:
The European Commission can decide that standard contractual clauses offer sufficient safeguards on data protection for the data to be transferred internationally. (Overview of current approved standard contractual clauses)
- Contractual clauses proposed by the company itself
If the data controller does not opt for a model contract from the European Commission, he can still draw up his own contractual clauses (ad hoc) that provide sufficient guarantees for data protection. These provisions must in principle be endorsed by the DPA and be subject to the consistency mechanism in accordance with Article 46.4 of the GDPR. This means that these provisions will have to be approved by the EDPB.
- Standard contractual clauses:
- Binding corporate rules:
- Applicable for multinationals wishing to make intra-group flows. The BCR enables companies to exchange data outside the European Union within the same group of companies, without compromising the level of protection for individuals, as guaranteed by the GDPR. BCRs must be approved by the DPA.
- The data subject has given unambiguous consent:
- When data is exchanged with a country that has not been found to be adequate, no contractual clauses are in place and binding corporate rules do not apply, data exchange may only take place if the data subject itself has given unambiguous consent for this international data transfer.
The Court of Justice stated in its judgment that it has no problems with standard contractual clauses as such. However, the data protection authority of each country is allowed to check whether the system is strict enough to protect its data subjects. So there is still a chance that national data protection authorities will declare that system invalid as well since the legal framework of the USA remains: security services can handle a lot of information.
Time to investigate alternatives closer to home?
There are enough other methods to make international data transfer possible. But in the USA a lot remains possible for security services, so privacy cannot be guaranteed at the same level as within our European member states.
Maybe that is why now is the ideal time to investigate whether there are not more privacy friendly alternatives, for the services you are using in the USA right now, closer to home…