When Europe’s top court ruled last month the Privacy Shield was not fit for purpose and had to be scrapped immediately, companies were left scratching their heads as to what they could do to ensure data transferred between the European Union and the United States complied with the EU’s stringent data protection law.
While the Court of Justice of the European Union (CJEU) had highlighted the problems, it did not suggest any solutions, especially as to the adequacy of the other two popular mechanisms to enable safe transfers—standard contractual clauses (SCCs) and binding corporate rules (BCRs). The European Data Protection Board (EDPB) was also little help, publishing an FAQ that most notably said there would be no “grace period.”
The EDPB did establish that if data is to be transferred from the European Union to a third country (including the post-Brexit United Kingdom), there needs to be “essential equivalence.” It added SCCs and BCRs do not offer enough protection if data is transferred outside of the European Union to a third country whose data protection laws are not as stringent as those in Europe. Legal, operational, and technical “supplementary measures” may be used on a “case-by-case” basis to improve chances of compliance, but the onus is on companies to check what legal rights individual countries have to the data that flows through them.
The EDPB said it’s still possible to make “occasional and not repetitive” data transfers from the European Economic Area to the United States due to a number of derogations under Article 49 of the General Data Protection Regulation (GDPR). However, data subjects must give their consent prior to any data transfer, and such consent should be:
- Specific for the particular data transfer; and
- Informed, particularly as to the possible risks of the transfer to a third country without similar data protection standards.
Lawyers and privacy experts hope the EDPB and individual data protection authorities will produce more useful guidance as soon as possible. In the meantime, however, they say there are several steps companies can take to protect themselves from potential GDPR violations when transferring data between the European Union and the United States or another third country with similarly strong surveillance laws.
1. As the Privacy Shield is invalid, companies should put SCCs in place in the meantime, and perhaps consider BCRs—which require regulatory approval—as a long-term solution. Both mechanisms are still legal, though not bulletproof, and should demonstrate an effort by companies to comply with the CJEU judgment.
2. Companies should map their international data flows and existing transfer mechanisms. According to law firm Norton Rose Fulbright, doing this will tell them where data is being transferred to (or accessed from), what level of sensitivity should be attached to the data (for example, medical and financial data should be regarded as more urgent), and what export mechanism was previously relied on to facilitate that transfer (the Privacy Shield, SCCs, BCRs, or a derogation). Any mapping exercise should look at the quantity and sensitivity of the data, so if a government does access it, the potential harm to the individual can be assessed.
3. Companies should also consider whether they should limit certain kinds of data being transferred to third countries, as well as question whether only certain kinds of data should be transferred (rather than all data). Companies may also want to consider whether it is worth delaying—or temporarily suspending—such transfers until clear guidance is released.
4. Companies should also consider what additional legal, technical, or practical and contractual safeguards could be applied to minimize risks regarding data transfers. Technical safeguards will include encrypting data, though U.S. companies should use commercially available encryption—anything more technical, niche, or specialized may be classed as a “munition” under the Electronic Code of Federal Regulations (15 CFR. 742.15).
5. Contractual measures, meanwhile, could include increased transparency from—and control over—the company importing the data, so the company exporting the data can be satisfied that the importer has a robust process for challenging requests from governments for data access. The data exporter can also add a contractual obligation for the data importer to notify it of access requests from law enforcement authorities, as well as supply information as to how often and what types of requests have been complied with in the past 24 months.
Such information will allow a company that is exporting data to assess the likelihood of its data being accessed, as well as provide it with an opportunity to either relocate certain data types or data processing activities to other countries, or cease processing certain kinds of data altogether.