GDPR and US Privacy Shield 0.1.

GDPR – Since July 2020 the U.S. Privacy Shield has been declared invalid and can no longer be used.

The U.S. Privacy Shield has been declared invalid by the Court of Justice of the European Union. Read more below about the statement and what is meant by transferring personal data to a third country.

What does this mean for you:

  • Could you continue to transfer personal data to the U.S.?
  • Will your transfer of personal data violate the GDPR clauses concerning transfer of personal data to a third country?
  • Are you sure that your personal data is managed and stored in the EU by your hosting provider?

If you are going to or have implemented a cloud-based solution/system:

  • Are you sure that your personal data is managed and stored in the EU by your system/solution provider or the hosting provider used by the system/solution provider?
  • Does the agreement you have or will negotiate include enough details concerning transfer of personal data to the U.S.?
  • The supplier must be able to describe in what countries personal data (including backups) are stored.

You need to assess and document if you could continue to transfer personal data to the U.S. in order to ensure that your personal data is protected as stipulated in GDPR.

If you are in the process of purchasing services to transfer, manage and store personal data in the U.S., i.e. contract a personal data processor, you need to ask yourself the questions outlined above.

Summary of the statement

The Court of Justice of the European Union has recently ruled that the EU-US Privacy Shield Agreement does not provide adequate protection for personal data when it is transferred to the U.S. The annulment of the Privacy Shield means that EU data controllers are no longer allowed to transfer personal data to recipients in the U.S. on the basis of the Privacy Shield.

Privacy Shield is a self-certification mechanism available in the U.S. This means that companies in the USA can register with the U.S. Department of Commerce and announce that they fulfil the requirements set out in the Privacy Shield. According to a decision by the European Commission, EU data controllers have been allowed to transfer personal data to recipients who have joined the Privacy Shield. Since July 2020, however, the Privacy Shield has been declared invalid and can no longer be used.

The European Data Protection Board states:

The European Data Protection Board (EDPB) welcomes the Court of Justice of the European Union’s (CJEU’s) judgment, which highlights the fundamental right to privacy in the context of the transfer of personal data to third countries. The CJEU’s decision is one of great importance. The EDPB has taken note of the fact that the Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield, and of the fact that it considers Commission Decision 2010/87 on Standard Contractual Clauses (SCCs) for the transfer of personal data to processors established in third countries valid.

The EDPB discussed the Court’s ruling during its 34th plenary session of 17 July 2020.

With regard to the Privacy Shield, the EDPB points out that the EU and the U.S. should achieve a complete and effective framework guaranteeing that the level of protection granted to personal data in the U.S. is essentially equivalent to that guaranteed within the EU, in line with the judgment.

The EDPB identified in the past some of the main flaws of the Privacy Shield on which the CJEU grounds its decision to declare it invalid.

While the SCCs remain valid, the CJEU underlines the need to ensure that these maintain, in practice, a level of protection that is essentially equivalent to the one guaranteed by the GDPR in light of the EU Charter. If the result of this assessment is that the country of the importer does not provide an essentially equivalent level of protection, the exporter may have to consider putting in place additional measures to those included in the SCCs. The EDPB is looking further into what these additional measures could consist of.

Source: https://edpb.europa.eu/our-work-tools/our-documents/muu/statement-court-justice-european-union-judgment-case-c-31118-data_en

Examples of transfer of personal data to third countries:

When you send documents that contain personal information by email to someone in a country outside the EU/European Economic Area (EEA).

When you engage a personal data processor in a country outside the EU/EEA.

When you give someone outside the EU/EEA access, for example read access, to personal data stored within the EU/EEA.

When you store personal data in a cloud service that is based outside the EU/EEA.

When you store personal data, for example on a server, in a country outside the EU/EEA.