On 16 July 2020, in what is known as the Schrems II case, the European Court of Justice ruled that the EU/US Privacy Shield data transfer mechanism is invalid. However, the Court validated Standard Contractual Clauses with the strong caveat that national Supervisory Authorities can invalidate them if they are poorly implemented.
Conor Hogan, Global Practice Director - Privacy at BSI, reviews the impact and implications of the European Court of Justice's decision on the 5000+ organizations that rely on the Privacy Shield for the transfer personal data between the EU and US and vice-versa.
Many organizations are currently taking legal advice as a necessary first step in understanding the impact of this decision. However, organizations will also need review existing contracts in place with third party service providers and revise the mechanisms for executing data transfers to ensure information resilience.
BSI is advising organizations of all sizes, across all industry sectors, to review their current data transfers, in particular those organizations who transfer data between Ireland or other European countries and the US. We have outlined the following steps that will support businesses to efficiently undertake this review and allow them to assess and identify what revisions or updates need to be made:
Revise your current personal data transfers to third parties and identify those that rely on Privacy Shield or Standard Contractual Clauses.
Categorize each data transfer using clearly defined criteria. Examples of these might include:
the third party’s jurisdiction
existence of any sub-processors and their jurisdiction(s)
the scope of the data processing activity
the sensitivity of the personal data involved
the volume of data or size of data flow; and
the criticality of the processing activity to the business
Determine the impact the Ruling has on each data transfer. For example, if it relied on the Privacy Shield then this must be replaced.
Identify solutions for your business to ensure personal data transfers remain lawful. For example:
Replace Privacy Shield with sufficiently robust SCCs
Re-evaluate existing SCCs
Consider alternative derogations such as explicit consent of the data subjects (per Art 49 of the GDPR) or
Make changes to business processes and outsourcing activities.