On the 16th of July, the EU-US Privacy Shield for data sharing was struck down by the European Court of Justice. It was not unexpected that Privacy Shield would be invalidated and the general consensus was that SCCs would be used if/when this happened. Without Privacy Shield, the US is not on the GDPR adequate countries list.
Fast forward to the 9th of September, the Irish Data Protection Commissioner has effectively invalidated Standard Contractual Clauses (SCCs) as a legal basis for international data transfers out of the EU. It is important to note that the DPC does not work in a vacuum, they would have consulted with their peers across the EU on this decision as it impacts data transfers by Facebook via their other EU subsidiaries.
If enforced by the various EU regulators, this could shut US and international businesses out of EU markets. It is important to note that the decision on SCCs is no great surprise to Data Privacy professionals. The EJC ruling was pretty clear that EU companies need to start looking at the surveillance practices of third-party countries where they're aiming to send the data, and the DPC's order follows from that.
The ECJ is asking companies involved in international data transfers to put supplemental measures in place. And what are these supplemental measures? Well, that is the problem. The frustration for companies is the lack of guidance, this is matched by the regulator's frustration with the fact that this was always the intention of the GDPR. It has always been evident that the GDPR held non-EU countries to a high standard. The problem here is the surveillance – it is governmental.
The EJC applied the law – the problem now is that governments around the world are continuing to struggle with the balance between security and privacy.
So what do you do now can you transfer personal data outside the EU according to the GDPR?
It is probably impossible to stop data transfers. It is important to note that when you view EU data from the US – this is a data transfer. So in the absence of stopping all data transfer, it is best to do everything else instead.
- Store EU data in the EU. If you have not started this process, then you need to.
- Understand and identify what data you have that is sensitive.
- Encrypt or anonymize as much data as possible. Especially sensitive data.
- Can you add non-governmental co-operation clauses to your privacy terms?
- Segregate personal data and restrict it from being transferred to the US.
- Unless the processing is occasional, do not use derogations (Article 49).
Remember, the regulator does not care if the above is technically difficult.
This is a problem that is not going away and needs to be actioned by all companies that store, view or share EU personal data outside the EU. As long as countries outside of the EU continue to pass laws that allow increased surveillance of personal data – then they will continue to fall foul of the GDPR.
Get in touch with us below if you want to discuss your data transfers.