On the 16 of July 2020, the Court of Justice of the European Union ( “CJEU”) declared invalid the Privacy Shield decision and hence, the certification as an adequate mechanism to transfer personal data from the EEA to the U.S. The judgement C-311/18 can be found here.
Thus, nowadays, the transfers of personal data from the EEA to the US, based on the Privacy Shield are illegal. There is no grace period.
Useful? Embed this infographic on your website.
The remaining ways to lawfully transfer personal data to the US are:
– Standard Contractual Clauses (SCC)
– Binding Corporate Rules (BCR)
– Approved Code of Conduct and Certifications: NO AVAILABLE AT THE MOMENT
– Derogation: Consent
– Derogation: Contract
– Derogation: Legitimate Interest
But note, regardless of the tool you opt for, Data Importer and Exporter must verify, prior any transfer, that in practice the level of EU protection guaranteed by the GDPR is respected in the third country concerned.
In that sense, the US and in particular, the three US national security laws: FISA 702, E.O. 12.333, and PPD 28 have been found by the CJEU no providing with: (i) Basic minimum safeguards, (ii) Enforceable rights and, (iii) Effective remedies. As required by the GDRP chapter V, articles 44 to 46.
Therefore, if you decide to keep on transferring personal data to the US regardless the transfer tool you will be using, you must, assess the individual circumstances of the transfer and place supplementary measures that ensure that the US law does not impinge on the adequate level of protection. See Art. 46(1), Recitals: 108 and 114 GDPR.
However, the above is very difficult, if not impossible, since the mentioned US national security laws apply to any data transfer via electronic mean. Meaning, any data sent to US servers for processing or back-up purposes. For instance, the data sent by businesses using google suit or Oracle or AWS or Salesforce.
And, also keep in mind that the US Cloud Act applies to any US companies -including parent companies. Thus, it doesn’t look like the data localisation will resolve the issue.
Moreover, the CJEU has drawn attention on the obligations for data exporters and importers that rely on the SCCs:
– The EEA Data Controller, the Recipient and any Data Processor to be responsible for verifying that the processing of the personal data, including the transfer, has been and will continue to be carried in line with the GDPR;
– The Recipient’s responsibility to notify immediately in case of inability to comply with its obligations under the SCCs, including situations where it is compelled to hand over EEA personal to Law Enforcement Authority; and
– The EEA Data Controller’s responsibility to immediately suspend or terminate the transfer upon notice from the Recipient that cannot comply with the SCCs.
Furthermore, the CJEU had highlighted the right and responsibility of the supervisory authorities to identify and suspend or terminate transfers based on the SCC when the appropriate safeguards can not be ensured.
And let’s not forget that under the GDPR, an impermissible transfer can result in the higher administrative fine up to €20,000,000, or in the case of an undertaking or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. Also, EEA data subjects may bring a private cause of action for an illegal transfer, either individually or as part of a class action.
Honestly, it’s clear that the EU is claiming is digital independence; quoting the Data Protection Commissioner, Maja Smoltczyk of the German SA: “the times when personal data is transferred to the US for convenience or cost savings are over after this judgement.”