Following Schrems II: TRANSFERRING PERSONAL DATA OUT OF THE US

I do not consider myself a risk-averse, but definitely, I vouch for risk assessments. Simply,  we all get the consequences of our actions, so why not to address the things adequately?. I reviewed the alternative transfer tools available to keep on transferring personal data to the U.S. The derogations are limited, and there is no room for manoeuvres since all U.S. businesses must comply with their national laws, e.g., FISA 702, E.O. 12.333, PPD 28, Cloud Act.

Useful? Embed this infographic on your website.

This puts us all under great pressure. However, we can not change American laws, and to try to hide the sun with broad interpretations of the law or compliance tricks which are likely to backfire, would not be the right management decision. Thus, I want to explore the only real and efficient solution, the transfer of personal data OUT of the U.S.

Prior to that, let’s address the elephant in the room. My suggestion will sound impractical. Most businesses use Microsoft Office 365, Google Docs, Google Analytics, Facebook Pixel, Azure, AWS, Slack, Trello, MailChimp, Salesforce, MS Dynamics, or similar; thus, not sending personal data to the U.S. and stopping the usage of their products or services may seem impossible. 

However, it’s just a matter to look for other options in the EEA jurisdictions or countries counting with an adequacy decision*, which will demand you time and effort for sure. Still, it’s more reasonable than deciding to ignore the law, don’t doing anything and risking your business to get transfers suspended or prohibited.

Have you calculated your losses each day of not operating because you can not access your data? Would you be able to keep on doing business without your client’s data? How many days could you handle without revenues? Fail to comply with the law damage your brand and reputation, but also risks your business and the jobs you provide; surely not something to take lightly.

This is a transition phase to a new privacy-focused digital environment. Nobody will suddenly get fully compliant. But, yes, we must have a transitional plan which identifies the personal data, the flow of it, the international transfers, the suppliers, the risks, your responsibility, and the solutions to the identified risks: how you are mitigated them.

We can not stop changes but we can embrace them. We can prepare ourselves to be ahead of the game, set standards in the market that are not only raising the bar but also deliver real value to our businesses.

*Only if you have verified that the GDPR’s guarantees are protected in that third country, keep the evidence of your compliance in line with the Accountability Principle.

Jessica Lam

Jessica Lam

Lawyer, Consultant and Director at TALACKA Ltd., an IT Business System experts integrated by developers, software architects, project managers, testers, and security advisors.
Jessica Lam

Leave a Reply

Your email address will not be published. Required fields are marked *