The General Data Protection Regulation (GDPR) demands that the protection granted to personal data in the European Economic Area (EEA); the EU, Iceland, Liechtenstein and Norway, must travel with the data wherever it goes. Any and all transfers of personal data outside of the EEA must be able to provide similar safeguards for personal data as in the EEA. Privacy Shield was a legal framework and a special agreement between the US and EU that was the most common legal basis for organizations to transfer personal data to the US legally under the GDPR. Organizations in the US needed to self-certify to Privacy Shield through the U.S. Department of Commerce’s International Trade Administration.
On July 26, 2020 the Schrems II case in the European court of justice marked the end of Privacy Shield.
What is the Schrems II case?
The first Schrems case, named after the plaintiff Max Schrems, a lawyer and privacy activist, resulted in the annulment of privacy principles between the EU-US named ‘Safe Harbour’. Safe Harbour was the predecessor to Privacy Shield. Schrems used that he was a Facebook user as a vector to attack Safe Harbour, since his personal data was transferred to the US where Facebook stores its data. His timing aligned with the Snowden controversy in the US and Schrems won the case resulting in the annulling of Safe Harbour. After the disappearance of Safe Harbour, the EU made another agreement with the US similar to that of Safe Harbour – Privacy Shield. Now the Schrems II judgement has annulled Privacy Shield as well.
With the Privacy Shield annulled, organizations must find another way to make the transfer legal under the GDPR.
Any country outside of the EEA is defined as a third country in the GDPR. Chapter 5 in the GDPR starts by saying that transfer of personal data, meaning that information is either transferred or accessible to parties outside of the EAA, is only legal if it is listed as having adequate levels of protection. With the Privacy Shield gone the US no longer meets privacy requirements, therefore a transfer mechanism such as Standard Data Protection Clauses or Binding Corporate Rules (BCR) is required. These transfer mechanics may need supplementary safeguards if the law of the importing third country impinges on the effectiveness of the appropriate transfer mechanics. Even so, you may still face legal challenges resulting from the CLOUD Act with the absence of EU-US international agreements such as MLATs. (For a deeper understanding of transfer mechanics, clauses and the CLOUD Act look here.)
Organizations should evaluate the risks of using a US-based cloud service and assess if the risks are acceptable. If you are an organization that transfers personal data to the US or any other third country, to ensure your transfers stay legal we suggest following the following five steps as outlined by the EDPB Recommendations 01/2020:
1. Know your transfers. Map out the third country transfers in your organization.
2. Verify the transfer tool your transfer relies on. Identifying the third country is on the list of countries with adequate levels of protection or what transfer mechanic is used.
3. Assess if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on.
4. Identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence. Depending on the transfer mechanic in article 46 you may need to consult your supervisory authority.
5. Re-evaluate at appropriate intervals the level of protection afforded to the data you transfer to third countries and monitor if there have been or there will be any developments that may affect it.
Strictly speaking, EU organizations risk data violation under the GDPR if using US-based cloud services because of the CLOUD Act and other uncertainties regarding how abstract the current supplementary measures to the transfer mechanics are. It may be beneficial to organizations to choose a local EEA based cloud or hosting provider that follows GDPR instead. This is especially true for organizations that handle very sensitive personal data, such as authorities, health care providers, banks, and insurance companies. Sensitive data will require more stringent safeguards and cause higher administrative sanctions if there is a data violation under the GDPR.
Switching hosting providers to a local EEA company is easier than many may think. Our team of experts at Complior place security first to ensure all data is safely transferred with minimal downtime and ready to go backup protocols in place. With security requirements of utmost importance to our clients we are always monitoring, troubleshooting and implementing new regulations as they are announced. GDPR can be intimidating and a resource depletion for small to medium sized businesses. Complior offers managed hosting solutions for EEA organizations as well as GDPR services to help you fulfill the requirements, protect your data and focus on your core clients and services. Leave your regulatory and IT headaches behind and partner with Complior, a local Swedish partner that utilizes data storage centers right in Stockholm so you know where your data is at all times with no surprises from US authorities.
Read next post: Understanding transfer mechanisms in GDPR