Without the Privacy Shield, are your data transfers legal?
5 min
Introduction
The General Data Protection Regulation (GDPR) demands that the protection granted to personal data in the European Economic Area (EEA), the EU, Iceland, Liechtenstein and Norway, must travel with the data wherever it goes.
Any transfer of personal data outside of the EEA must ensure a similar level of protection. Privacy Shield was a legal framework and agreement between the US and EU. It was the most common legal basis for organizations to transfer personal data to the US under GDPR. Organizations in the US needed to self-certify through the U.S. Department of Commerce’s International Trade Administration.
On July 26, 2020, the Schrems II case in the European Court of Justice marked the end of Privacy Shield.
What is the Schrems II case?
The first Schrems case, named after Max Schrems (a lawyer and privacy activist), resulted in the annulment of Safe Harbour, which was the predecessor to Privacy Shield.
Schrems challenged Safe Harbour using Facebook as a case example, since his personal data was transferred to the US where Facebook stored its data. The case coincided with the Snowden revelations about US surveillance, contributing to the ruling. After Safe Harbour was invalidated, the EU introduced Privacy Shield as a replacement. The Schrems II judgment later invalidated Privacy Shield as well.
What happens now?
With Privacy Shield annulled, organizations must find alternative legal mechanisms to transfer personal data under GDPR.
Any country outside the EEA is defined as a “third country.” Under Chapter 5 of GDPR, transfers are only legal if the country ensure adequate protection, or an approved transfer mechanism is used.
Since the US no longer meets adequacy requirements, organizations must rely on mechanisms such as Standard Contractual Clauses (SCC) and Binding Corporate Rules (BCR).
These mechanisms may require supplementary safeguards if the legal framework of the receiving country undermines their effectiveness.
Additional legal challenges
Even with transfer mechanisms in place, organizations may still face challenges due to laws such as the CLOUD Act. The lack of international agreements (such as MLATs) between the EU and US further complicates compliance.
Recommended steps (EDPB 01/2020)
Organizations transferring personal data should follow these five steps:
- Know your transfers
- Verify your transfer mechanism
- Assess third-country risks
- Implement supplementary measures
- Monitor and re-evaluate
Know your transfers
Map out all transfers of personal data to third countries within your organization.
Verify your transfer mechanism
Determine whether the country has adequate protection or which transfer mechanism is used.
Assess third-country risks
Evaluate whether laws or practices in the receiving country affect the effectiveness of safeguards.
Implement supplementary measures
Adopt additional safeguards to ensure an equivalent level of data protection to that of the EU. You may need to consult your supervisory authority depending on the mechanism used.
Monitor and re-evaluate
Continuously assess the level of protection and monitor any legal or regulatory changes.
Risk considerations
EU organizations using US-based cloud services may risk GDPR violations due to the CLOUD Act and Uncertainty around supplementary measures
Organizations handling sensitive personal data, such as authorities, healthcare providers, banks, and insurance companies, face even stricter requirements and higher penalties.
Choosing the right hosting strategy
It may be beneficial to choose an EEA-based cloud or hosting provider that operates fully under GDPR. This reduces legal uncertainty, compliance risks and exposure to foreign legislation
How Complior can help
Switching hosting providers to a local EEA company is often easier than expected. Complior offers secure data transfers with minimal downtime, backup protocols and monitoring and ongoing compliance with new regulations.
GDPR compliance can be complex and resource-intensive, especially for small and medium-sized businesses. Complior provides managed hosting and GDPR services to help organizations meet regulatory requirements, protect sensitive data and focus on their core business.
With data centers located in Stockholm, you always know where your data is stored, without unexpected exposure to foreign authorities.