EU Companies using US vendors for their data

For companies operating within the EU, this adequacy decision eliminates the need for additional data protection measures when transferring personal data to U.S. vendors participating in the EU-U.S. Data Privacy Framework. It streamlines data transfers, allowing businesses to focus on their core operations without being burdened by complex compliance requirements.

If your company relies on U.S. vendors for services or data processing, this decision brings positive implications. The EU-US Data Privacy Framework introduces comprehensive binding safeguards to address concerns raised by the European Court of Justice. These safeguards ensure that access to EU data by U.S. intelligence services is limited to what is necessary and proportionate for national security purposes.

Moreover, the framework establishes a redress mechanism for EU individuals whose data is mishandled by U.S. companies. This includes independent dispute resolution mechanisms and an arbitration panel, providing added assurance to EU consumers and reinforcing trust in transatlantic data flows.

Serving EU Customers from the US

For U.S. vendors seeking to serve EU customers, participation in the EU-US Data Privacy Framework is crucial. By committing to comply with a detailed set of privacy obligations, U.S. companies can demonstrate their adherence to the high data protection standards required by the EU. This includes obligations such as purpose limitation, data minimization, data retention, data security, and responsible data sharing with third parties.

The framework will be administered by the U.S. Department of Commerce, ensuring proper oversight and monitoring of participating companies’ compliance. The U.S. Federal Trade Commission will enforce these obligations, safeguarding the interests of EU individuals and promoting accountability among U.S. vendors.

It is important to note that the safeguards implemented by the U.S. government to protect data privacy will also benefit companies using other data transfer mechanisms, such as standard contractual clauses and binding corporate rules. This provides flexibility and reassurance for companies engaged in transatlantic data transfers, regardless of the specific mechanism they choose.

We encourage companies to familiarize themselves with the details of the adequacy decision and the obligations set forth in the EU-US Data Privacy Framework as this will affect many data setups.

Criticism of the EU-US Data Privacy Framework

Critics argue that the new Trans-Atlantic Data Privacy Framework closely resembles its predecessors, particularly the failed “Privacy Shield” agreement. The fundamental concerns regarding U.S. surveillance laws and the unequal treatment of non-U.S. persons in terms of constitutional rights remain largely unaddressed. The framework’s reliance on the U.S. Executive Order 14086, which includes the term “proportionate” but interprets it differently than the European Court of Justice (CJEU), has raised concerns about the adequacy of protections.

Furthermore, the redress mechanism established under the new framework has been questioned. While some improvements have been made compared to the previous “Ombudsperson” mechanism, the individual’s direct interaction with the newly formed Civil Liberties Protection Officer (CLPO) and the “Court” is limited. Critics argue that this mechanism does not provide true judicial redress, as the response is already known before a case is brought, potentially undermining the effectiveness of individuals’ rights to seek redress.

It is expected that the privacy advocacy group noyb (None of Your Business) will challenge the adequacy decision in court. They contend that the new framework lacks substantial changes and does not address the necessary reforms to U.S. surveillance laws. Previous attempts, such as the “Safe Harbor” and “Privacy Shield,” have been declared invalid by the CJEU.

The potential legal challenge could result in further scrutiny of the Trans-Atlantic Data Privacy Framework. If the case reaches the CJEU, the court may suspend the framework during the review process, leading to a final decision in 2024 or 2025. This uncertainty raises concerns about the legal validity of data transfers conducted under the new framework.

The post EU-US Data Privacy Framework Adopted appeared first on TechGDPR.

  Legal processes and redress

DPOs enforcement action: The EDPB launches coordinated enforcement action on the designation and position of data protection officers. DPOs across the EU will be sent questionnaires, with the possibility of further formal investigations and follow-ups. According to the Portuguese data protection agency, it will ask DPOs to voluntarily participate in the action and they do not have to identify themselves or the organisation concerned. The Spanish privacy regulator says it will analyse the practices of tens of thousands of public and private sector entities, (education, banking, health, security, financial solvency, etc.) 

The questions will be related, among others, to the designation, knowledge, and experience of the data protection officers, their tasks, and resources. Special attention will be paid to the independent and effective performance of the tasks of the DPO, and their possible conflict of interest, (where they exercise additional functions of compliance officers, IT managers, etc.), explains the Bavarian data protection supervisor. The requirement for DPOs to report directly to the highest management level of the controller or processor, and their operating conditions, (based on organisational charts, annual reports, etc), also will be checked.

UK Data Protection reform resumes: The Data Protection and Digital Information Bill was reintroduced in the House of Commons. Followed by a rapid change in the UK government last summer, the reading of the old document did not occur as expected. Much of the new bill is the same as the withdrawn one. The new document also followed a detailed co-design process with industry, business, privacy, and consumer groups. It would reduce burdens on companies and researchers and boost the economy by 4,7 billion pounds over the next decade. The research briefing on the draft reform bill is available here. 

Creditworthiness and profiling risks: The CJEU’s Advocate General suggests that the automated establishment of the ability of a person to service a loan constitutes profiling under the GDPR. In the related case, a German company governed by private law, (SCHUFA), provided a credit institution with a score for the citizen in question, which served as the basis for a refusal to grant credit. The citizen requested SCHUFA erase the entry concerning her and to grant her access to the corresponding data. The latter merely informed her of the relevant score and of the principles underlying the calculation method, without informing her of the specific data included, arguing that the calculation method is a trade secret. Other related cases concerned the lawfulness of the storage of citizen data from public registers, (on discharge from remaining debts), by credit information agencies.

Official guidance

Data subject access rights: The Latvian data protection agency DVI explains what the right to access your data means. Every natural person has the right to obtain accurate information about their data, (or a copy of it), held by an organisation. For example, a person participated in a job interview and has not passed the rounds of applicant selection. In order to find out whether or not the company has stored personal data, the person can contact the company and ask, and if this is the case, demand an explanation for what purpose it is processed. The individual must first contact the organisation using the communication channels or methods specified in the privacy policy. The request should be as clear as possible, and include:

• identifying information of the requester, (the organisation has the right to additional information, so the person can be identified correctly);
• an indication whether the information is desired for all data or for a specific case;
• an indication of the period for which information is to be provided;
• precise requests referring to all or any of the above questions.

The organisation may refuse the request if it was already answered or it is disproportionally large, unidentified, or the information is covered by other regulatory acts. But if the organisation does not respond to the request within a month, and does not provide the information, (or the reasons for refusal), the person has the right to file a complaint with the data protection authority. 

Dematerialised receipts: The French privacy regulator CNIL looked at dematerialised receipts that merchants can offer you in place of traditional printed ones. You still must have the choice of whether or not to receive it, (via email, sms), as dematerialisation is not provided for by law. The dematerialised receipts allow the merchant to collect and reuse your data for advertising: but they must respect your rights by asking for your consent or by allowing you to opt out. If a merchant offers the retrieval your receipt by scanning a QR code with your smartphone, only the technical data necessary to establish the connection between the devices should be collected. Finally, the creation of a loyalty or online account is not mandatory to obtain your receipt. 

User and Entity Behavior Analysis: UEBA techniques have a multitude of applications that always have something in common: recording user behavior in the past, then modeling this behavior in the present, and, if possible, predicting what it will be like in the future. According to the Spanish privacy regulator AEPD, techniques used online collect massive amounts of data and almost always apply machine learning or AI. Users are always people, entities can be animals, vehicles, mobile devices, sensors, etc. The application of these techniques depends on the specific application domain, since it may be interesting to analyse the individual behavior of people or their behavior from a social perspective in three main domains: 

• service and marketing optimisation; 
• cybersecurity; 
• health and safety.

When personal data is processed, the principles established in the GDPR are mandatory, including transparency, data minimisation, and purpose limitation. But in many cases, users are not informed about the types of techniques that are being used, the depth of the treatment, the scope of data sharing, or the potential impact that a data breach may have.

Algorithmic fairness: The UK privacy regulator ICO decided to update its guidance to help organisations adopt new technologies while protecting people and vulnerable groups. New content was added on AI and inferences, affinity groups, special category data, as well as things to consider as part of your DPIA. The updated guidance explains the differences between fairness, algorithmic fairness, bias, and discrimination. It also explains the different sources of bias that can lead to unfairness and possible mitigation measures. There is a new section about data protection fairness considerations across the AI lifecycle, from problem formulation to decommissioning. Technical terms are also explained in the updated glossary.

Enforcement decisions

Irish queries: The Irish data protection authority DPC in its 2022 report stated that the most frequent GDPR topics for queries and complaints were: access requests, fair-processing, disclosure, direct marketing, and right to be forgotten, (delisting and/or removal requests). At the same time, breach notifications were down 12% on 2021 figures. The most frequent cause of breaches reported arose as a result of correspondence inadvertently being misdirected to the wrong recipients, at 62% of the overall total. Where possible the DPC endeavored to resolve individual complaints informally – as provided for in the Data Protection Act 2018. Overall, the DPC concluded 10,008 cases in 2022 of which 3,133 were resolved through formal complaint handling. 

Medical research data: The French privacy regulator CNIL reminds two medical research organisations of their legal obligations – to carry out an impact assessment on data protection and to properly inform individuals. Health research must be authorised by the CNIL or comply with a reference methodology. These methodologies require a DPIA to be carried out before starting the research. A single analysis may cover a set of processing operations that present similar risks, (eg, similar projects, using the same IT tools). 

Information notices provided by the two organisations also did not specify the nature of the information collected or its retention period, contact details of the data protection officer or the procedures for appealing to the CNIL. Finally, an information notice stated that the data was anonymised, which was not the case since the identity of the patients was only replaced by a three-digit “patient number” and a “patient code” composed of two letters corresponding to the first initial of the name and surname of the person concerned.

Political affiliation data: In Romania, a political party was fined following a data breach notification. The data stored in an operator’s server hosting an application became subject to a phishing attack. It was found that the operator did not implement adequate technical and organisational measures to ensure an appropriate level of security, such as the encryption/pseudonymisation of personal data stored, which led to the loss of the confidentiality of the data processed by accessing unauthorised use of personal data such as name, surname, personal number code, e-mail, telephone number, and political affiliation data.

Non-conformant data breach notice: The Norwegian data protection authority Datatilsynet imposed a fine of approx. 220,000 euros on the US company Argon Medical Devices for breaching the GDPR. In July 2021, Argon discovered a security breach that affected the personal data of all their European employees, including in Norway. Argon believed that they did not need to report the security breach until after they had a complete overview of the incident and all its consequences. The US company sent a notice to the Norwegian regulator only in September 2021, long after the 72-hour deadline for reporting a breach under the Art. 33 of the GDPR. The security breach concerned personal data that could be be used for fraud and identity theft.

Data Security

PETs: The OECD offers guidance on emerging privacy-enhancing technologies – digital solutions that allow information to be collected, processed, analysed, and shared while protecting data confidentiality and privacy. This often includes zero-knowledge proofs, differential privacy, synthetic data, anonymisation, and pseudonymisation tools, as well as homomorphic encryption, multi-party computation, federated learning, and personal data stores. However, the majority of these tools lack standalone applications, have limited use cases, and are still in the early stages of development.

Big Tech

Meta and Dutch users: Facebook Ireland acted unlawfully when processing the personal data of Dutch users, states an Amsterdam court. Between 2010 and 2020, users’ personal information was processed illegally for marketing purposes. Additionally, it was distributed to third parties devoid of legal justification and without properly informing users about it. Also, consent was not obtained before processing sensitive personal data for advertising purposes, such as sexual orientation or religion. This concerned both information voluntarily provided by users and information that Facebook Ireland collected by observing users’ online browsing patterns outside the Facebook service. 

Meta tracking tools: According to the Austrian data protection authority DSB, the use of Facebook’s tracking tools (Login and Meta Pixel) is a violation of both the GDPR and the “Schrems II” ruling. As a result of US surveillance laws requiring companies, like Facebook, to disclose users’ information to the authorities, the CJEU determined in 2020 that using US providers violates the GDPR.  According to the NOYB foundation, which launched the complaint, numerous websites track users using Meta tracking technology to display personalised ads. Websites using this technology also send all user data to US multinationals. And while the EU-US Data Privacy Framework is waiting for approval from the European Commission, the US government continues bulk surveillance of EU users. 

Meta’s WhatsApp settlement in the EU: The European Commission and the European network of consumer authorities have closed their investigation into Meta’s messaging app WhatsApp following a complaint made by the BEUC, (the European Consumer Organisation). WhatsApp has committed to better explain the policy changes it intends to make and to give users a possibility to reject them as easily as to accept them. Unfortunately, this will only apply to future changes to the app. However, the complaint identified multiple breaches of consumer and data subject rights since 2021 including aggressive commercial practices, and unclear and misleading terms of use and notices to its users. 

The post Data protection & privacy digest 4 – 17 March 2023: position of DPOs, user behavior analysis, creditworthiness and profiling appeared first on TechGDPR.

Legal processes and redress: Facebook data transfer hustle, Amazon fine halted, adequacy for South Korea

Despite the CJEU twice declaring that the US does not offer sufficient protection for Europeans’ data from American national security agencies, Facebook, (Meta)’s lawyers continue to disagree, according to internal documents seen by the POLITICO EU newspaper. In July 2020, the CJEU struck down a US-EU data transfer framework, the Privacy Shield, but upheld the legality of another safeguard instrument used to export data out of the EU – Standard Contractual Clauses (SCCs). 

Facebook’s lawyers argue that the EU court ruling relates only to the Privacy Shield data pact, (Art. 45 of the GDPR), and not the SCCs, (Art.46 of the GDPR), the instrument Facebook uses to transfer data to the US. The company also says that changes to US law and practices since the 2020 ruling should be taken into account, namely the US Federal Trade Commission, “carrying out its role as a data protection agency with unprecedented force and vigour.” Finally, the platform’s lawyers note that the 234,998 data requests it received from US authorities in 2020 represents a “tiny fraction” of the total number of users, which Facebook estimates at around 3.3 bln. 

At the same time, Austrian activist and lawyer Maximilian Schrems, who in 2013 started the legal battle against Facebook, states that since the 2020 CJEU judgment the platform has not taken any steps to limit its data transfers. “Instead, it produced a 86 page “Transfer Impact Assessment” under the newly introduced SCCs, coming to the surprising result that the CJEU judgment would not apply to Facebook and transfers could continue as they are”.  Reportedly Facebook’s self-assessment document concluded that relevant US law and practice provided protection of personal data that was essentially equivalent to the level of protection required by EU law.

Also last week:

Luxembourg’s legal judgment halts Amazon’s enormous daily GDPR fine. The Administrative court suspended a 746,000 euro fine the US retailer had to pay each day over suspected data privacy breaches. The court ruled that the data protection regulator’s instructions on how to correct the breaches were too vague. In July the Luxembourg data protection commissioner, where Amazon’s European headquarters is based, hit the company with a record fine after deciding that its processing of customers personal data for targeted advertising purposes did not comply with the GDPR. Amazon argued the ruling lacked merit and would be appealed. As of today, hearings between the two parties are still ongoing.

The European Commission has adopted South Korea’s GDPR-governed adequacy ruling. The agreement allows for the free flow of personal data between the EU and the Republic of Korea, without further authorization or additional transfer tools. The decision also covers transfers of personal data between public authorities. The agreement stands on the adequate protections afforded to individuals in the EU under Korean law when their data is transferred to the Republic of Korea, including additional transparency and onward data transfer requirements agreed by both parties. These rules are now binding and enforceable by the South Korean data protection authority, PIPC, and the court system, Hunton Andrews Kurth LLP reports. Read the full South Korea adequacy decision here, as well as the latest Q&As on the EU adequacy mechanism.

Official guidance: TTDSG, card-based payments, COVID status checks

The German Data Protection Conference published their guidance, (in German,) on the Telecommunications and Telemedia Act (TTDSG), which entered into force on 1 December. The document, (open for public consultations), offers operators of websites, apps, and smart home applications assistance in the implementation of the new provisions. The same guide also informs citizens of the key changes in the legal framework, and further clarifies the interplay between the TTDSG, the GDPR and the ePrivacy Directive, namely:

• TTDSG goes beyond the scope of the GDPR and establishes the consent requirement for storing/accessing information on or from users terminal equipment, regardless of whether the information relates to a person. 
• cookie, (and similar technologies), user consent can be bundled with the consent for subsequent data processing/transfers, if sufficiently transparent. 
• TTDSG establishes strict requirements for valid consent with a “reject all” option (with some possible exceptions under anti-fraud/IT security requirements).
• The aforementioned requirements are applicable only for data processing within the EEA. There must therefore always be additional examinations where the processing involves the transfer to third countries, especially such as the US, where there is no adequate agreement with the EU. 

The guide also explains the rationale behind the “absolutely necessary” cookies, main services, services provided at the user’s demand and the additional functions/services. In the context of websites, users do not have to accept every access to their terminal equipment, in particular the setting of cookies, just because a website or an app has been actively called up. They must first become aware that there are additional services and functions that require access to the terminal device in order to provide them (measurements or analysis of visitors numbers or A/B testing, etc). Also, cookies for any additional functions, such as for storing products in the shopping cart or making a payment, can regularly only be regarded as absolutely necessary in terms of the time dimension when a corresponding user interaction has taken place (when items are actually placed in the cart, or the payment process has been initiated).

The EDPS’s latest TechDispatch section investigates card based-payments, that nowadays go beyond debit cards or credit cards. Contactless payments using Near Field Communication or Quick Response technologies and cardless payments via smartphone apps are just a few examples of new card-based payment methods. The key takeaways include analysis on:

• payment gateways and processors;
• balancing interests between anonymity and traceability of personal data;
• necessity and proportionality of customer identification;
• processing of special categories of data;
• GDPR-covered roles and responsibilities; 
• data retention and surveillance, automated decision making and profiling;
• data security standards, etc.

In the UK, the Information Commissioner’s office advised organisations about how to look after customers’ personal data when completing COVID status checks. The provisions require data collectors to be clear, open and honest with people about what they are doing with the personal information:

• display your privacy notice on your website, social media or email it alongside any event information, put up posters around your venue’s entrance;
• follow the government guidance to determine whether you should carry out purely visual checks, or a digital scan;
• use only official governmental apps to scan QR codes;
• don’t create any of your own lists or records with your customers’ status;
• make sure staff can answer questions about how data will be used and stored;
• ensure that your staff treat the information that they are checking confidentially;
• keep up-to-date with the latest advice from the government and the ICO.

Investigations and enforcement actions: gamers’ videos, children’s learning data, ex-employee email box

Gaming giant Ubisoft has confirmed an intrusion into its IT infrastructure targeting the popular game Just Dance. The company explained that the incident “was the result of a misconfiguration, that once identified, was quickly fixed, but made it possible for unauthorized individuals to access and possibly copy some personal player data.” However, Ubisoft did not comment about how many people were affected by the incident: “The data in question was limited to ‘technical identifiers’ which include GamerTags, profile IDs, and Device IDs as well as Just Dance videos that were recorded and uploaded to be shared publicly with the in-game community and/or on social media profiles.” Anyone affected by the breach will receive an email from Ubisoft and will be given more information through the company’s support team. The team also urged players to enable two-factor authentication and to reset passwords.

The Icelandic data protection authority has found the City of Reykjavík guilty of multiple violations of the GDPR, following its failure to comply with data protection obligations in processing children’s personal data, DataGuidance reports. The investigation started over one of the City of Reykjavík’s primary schools’ use of the Seesaw Learning app. The regulator found that the City of Reykjavík failed to process personal data in a fair and transparent manner, noting that:

• The processing of personal information was not based on a valid consent. 
• It was possible to identify registered students for longer than necessary. 
• The system processed the personal data of parents and guardians of students in order to direct them to marketing. 
• The personal information of students was transferred to the US and processed there, without sufficient safeguards. 
• The municipality failed to clarify which of the parties was responsible for the processing, demonstrate any existing data processing agreements or to complete DPIA. 

The City of Reykjavík was requested to close the accounts of school children in Seesaw and ensure that all their personal information is deleted from the system, but not before a copy of the information has been handed over to the children or, as the case may be, kept in schools. 

The Belgian Data Protection Authority, (DPA), issued a reprimand to a company following violations of Art. 5, 6 and 13 of the GDPR. The organisation had kept the complainant’s email address and mailbox active, leading to the possibility a third party could read received emails and respond in the complainant’s name, after the complainant’s employment agreement had terminated, DataGuidance reports. The complainant’s email address was still in the company’s system in January 2020, despite the fact that the employment agreement with the complainant had ended in 2019. Furthermore, the complainant had not received information about further use of their mailbox and email address, besides being told that they no longer would have access to it. The Belgian DPA did not issue a monetary penalty in this case, considering publication of the reprimand would constitute a sufficient warning.

Opinion: ICO’s regulatory powers

The UK Information Commissioner’s Office, (ICO), has launched a consultation to gather the views of data controllers, their representatives and the public on how it regulates the laws it monitors and enforces. People will have 14 weeks to comment on three documents:

• The Regulatory Action Policy that reinforces the proportionate and risk-based approach to enforcement, and explains the factors taken into consideration before taking regulatory action such as monetary penalties, stop-processing orders or compulsory audits.
• Statutory Guidance that specifies the ICO’s legal obligations to publish guidance to help organisations navigate the law.
• Statutory Guidance on The Privacy and Electronic Communications Regulations, (PECR), that explains how the ICO enforces the data protection legislation relating to electronic communications like nuisance calls, emails and texts. The guidance focuses on the ICO’s powers to issue monetary penalty notices on a person, or an officer of a body, for data protection failures in respect of the PECR. This is a power that has recently been incorporated into law. 

The forms for written responses are available here.

Big Tech: Google and Meta fines in Russia, Meta/Giphy deal, Alibaba-cloud, tech buzzwords 2021

A Moscow court on Friday said it was fining Alphabet’s Google about 90 mln euros for what it said was a repeated failure to delete content Russia deems illegal, the first revenue-based fine of its kind in Russia. The court also fined Meta more than 20 mln euros on the same grounds. Russia’s communication watchdog Roskomnadzor said that Facebook and Instagram failed to remove two thousand pieces that violate Russian laws whereas Google keeps 2,600 pieces of banned content. Moscow has also demanded that 13 foreign and mostly US technology companies, which include Google and Meta, be officially represented on Russian soil by January 1 or face possible restrictions or outright bans.

Facebook owner Meta has appealed against the UK’s ruling that it must sell its animated images platform Giphy. The company does not support the finding that buying Giphy in 2020 constituted a threat to its rivals or could impact competition in display advertising. It is the first time the British regulator, the CMA, has blocked a major digital acquisition. Half of the traffic to Giphy’s huge library of looping videos comes from Facebook, Instagram and WhatsApp. Its GIFs are also popular with users of TikTok, Twitter and Snapchat. The CMA was concerned Meta could limit access or force rivals to provide more user data. Meta argued it would not change the terms of access for competitors, nor collect additional data from the use of GIFs, which have no online tracking mechanisms such as pixels or cookies. Meta also pointed out that Giphy has no presence, employees, offices or revenues in Britain. The CMA noted that UK users look for 1 billion GIFs a month on Giphy, and 73% of the time they spend on social media was on Meta’s Facebook, Instagram and WhatsApp.

Chinese regulators suspended an information-sharing partnership with Alibaba Cloud Computing, a subsidiary of e-commerce conglomerate Alibaba Group, over accusations it failed to promptly report and address a cybersecurity vulnerability. Reportedly Alibaba Cloud did not immediately report recently discovered vulnerabilities in the popular, open-source logging framework Apache Log4j2 to China’s telecommunications regulator, but notified the US based Apache Software Foundation. In response the Chinese government suspended partnership with the cloud unit, to be reassessed in six months. This latest measure highlights Beijing’s desire to strengthen control over key online infrastructure and data in the name of national security. The Chinese government has also asked state-owned companies to migrate their data from private operators such as Alibaba and Tencent to a state-backed cloud system by next year.

Finally, to end the year, Reuters tech team published a guide to 2021’s tech buzzwords. So, if you’re still drawing a blank as 2021 wraps up – metaverse, web3, social audio, NFTs, tech decentralization, DAOs, “stonks”, gameFI, altcoin, FSD beta, fabs and net zero are all made crystal clear in this quick guide for everyone whose digital lexicon may be in need of an upgrade. 

The post Weekly digest December 20 – 26, 2021: Facebook data transfer hustle, guide on Germany’s TTDSG, contactless payments, tech buzzwords appeared first on TechGDPR.

In this article, we provide practical guidance for all organisations that export data outside of the EEA on how to reassess their transfers of personal data outside of Europe in a post-Schrems II era.

The Schrems-II ruling of the European Court of Justice on Transfers of Personal Data outside of the EU

The European Union is infamous for its diligent approach to the protection of the rights of human rights. The GDPR, the regulation ensuring the right to personal data protection, limits all transfers of personal data outside of the European Union to ensure that the data and individual rights are not abused as soon as they cross the EU border. 

The European Commission produced a list of 13 countries deemed to ensure a sufficient level of data protection, to which personal data can be transferred without limitations. That list also allowed a select group of companies based in the US to receive personal data from their EU partners. The requirement for those companies in this group is to self-declare and join the so-called EU-US Privacy Shield. Until recently, more than 5000 organisations used the scheme, among which Amazon, Facebook, and Google. 

With its judgement, the CJEU has invalidated the EU-US Privacy Shield, making further transfers of personal data to those organisations in the US, illegal. Additionally, the ruling impacted another mechanism, that of Standard Contractual Clauses (SCCs), which was used in 88% of international transfers, warning that these SCCs cannot always be used in transfers to third countries. It implied a similar fate for Binding Corporate Rules, another transfer mechanism for transfers within a corporate group.

As if this were not enough, the court left no grace period for organisations to understand their situation and come up with alternative transfer mechanisms applicable to their business model. It leaves thousands of transfers of personal data to the US and, presumably, to many other countries, unlawful. This is why a swift reaction is vital for companies in the EU.

Step-by-step guide to international data transfers after the CJEU ruling

Step 1 – Audit existing transfers 

To start with, prepare a list of all connections with companies that imply transfers of personal data outside of the European Union. Acknowledge  that storing personal data on the cloud servers in another country, using third-party applications such as CRM, HR, payment systems, collaboration tools, video-conferencing or task managers definitely implies the international transfer of data. Remember that involving contractors or software development agencies from third countries also imply international data transfers.

Next, figure out the transfer mechanisms used by these partner organisations and service providers. Most information can be parsed from public sources, e.g. company websites, but if not, we recommend contacting your service providers directly. The current mechanisms used by the companies can be an adequacy decision (Art. 45 GDPR), the (defunct) EU-US Privacy Shield, Standard Contractual Clauses (Art. 46.3.a) GDPR), Binding Corporate Rules (Art. 47 GDPR), or Derogations (Art. 49 GDPR).

Step 2 – Choose appropriate safeguards

Pay specific attention to the transfers of personal data to the US. While the situation with other third countries remains unclear, transfers of personal data in the States cannot continue as they do at the moment. Companies that have relied on the Privacy Shield must consider adopting new safeguards, and Standard Contractual Clauses cannot be used by the providers of cloud computing and telecommunication services.

If you already use or consider using Standard Contractual Clauses or Binding Corporate Rules for transfers under Art. 46, ask your partners and service providers whether they are subject to national laws that:

• require indiscriminate surveillance / data collection from them by government bodies;
• prohibit deletion of the transferred data at the end of your relationship with them;
• limit the rights of concerned individuals (data subjects), such as the right to be informed, right to access, rectify and erasure, upon the request.

The restrictions above will be difficult to overcome by the available EU privacy safeguards, which was confirmed by the CJEU judgement. This is exactly the case with the transfers to the United States: under 702 FISA (50 USC § 1881a), all “electronic communication service providers”, which are providers of remote computing services, electronic communication services, or telecommunications carriers must share the data that they store about foreigners with the U.S. national enforcement agencies. As a result, it is considered that the SCC cannot be used for transfers of data to these types of providers at all. 

For other types of partners and services providers, the SCC and BCR remain a possible option, though additional examination will be necessary.

To make matters worse is that foreign companies can be prohibited from informing you about such requirements due to their statutory provisions. The option, in this case, is to look into media-coverage of such scenarios, as well as to check their national enforcement and judicial practice on data protection.
Best practice, however, is to regard those companies who claim they cannot disclose that information to be under that statutory obligation and interpret that answer as those likely to be subject to such national requirements.

Step 3 – Consider derogations or restructure the transfers

Art. 49 of the GDPR provides derogations from the rule described above. For case-by-case transfers, you can ask for explicit consent from the data subject. However, such an option seems unrealistic for transferring the whole database as it may prove impractical to ensure collecting consent from all concerned users. 

You can also transfer personal data to third countries if it is necessary to perform the contract with your users or other data subjects. Unfortunately, it is only available to the transfers that are strictly necessary, i.e. where the execution of the contract takes place on U.S. territory (or another third country). That said, the mere convenience to transfer the data to the U.S. cannot be regarded as the “necessity”, neither can the cost of the offered solution be a determining factor alone.

Finally, as a temporary measure, the company can argue that it has legitimate interests in international transfers. This option can serve as a temporary relief for those companies that need time for re-architecting their processing activities following the CJEU judgement. The transfer based on the legitimate interests should not be repetitive. It must concern only a limited number of data subjects, and must not be overridden by the interests or rights and freedoms of the data subject. Two conditions come when relying on  this derogation: the need to inform your supervisory authority and data subjects about the transfers. Thus, legitimate interests might be used as a temporary measure while searching for a more reliable transfer mechanism.

There are many situations where none of the above options can be used by the EU company. For example, it is fairly difficult to come up with a solution for transferring personal data to cloud hosting providers in the U.S. or EU subsidiaries of those companies. In such cases, a strong decision is needed: that of restructuring your data processing and stop transfers of personal data outside of the EU. In such a case, only local EU service providers will be used, particularly those not under legal or contractual obligation to transfer data back to the US -or merely allow access to other entities.

Conclusion: what to do after the Schrems-II ruling

Until new guidance from the EU regulators is issued, in particular the EDPB and the EU Commission, the situation with international transfers remains rather vague, to say the least. In accordance with its announcement in the assessment of the last 2 years of the GDPR, the European Commission is also working on new transfer mechanisms. The new safeguards should allow transferring personal data outside of the EAA more easily. This is a much awaited work considering the fact that current SCCs date back prior to the GDPR, thus not being fully in line with the GDPR provisions

In the meantime, the companies are left with few options:

1. To amend their processing infrastructure and limit transfers of personal data outside of the EU; or
2. To take a risk and try to come up with protective measures to complement these unstable mechanisms, in an attempt to consolidate the current mechanisms. However, until the European Data Protection Board drafts guidance on such measures, choosing them ought to be carefully examined by data protection professionals.

This article is for information purposes only, and does not constitute or replace legal advice. Seek professional support for any specific questions you may have.

If your business relies on international transfers of personal data, the TechGDPR team provides practical and actionable assessments for organisations to find a solution for each case. Feel free to reach out if you need further help.

The post International Transfers of Personal Data after the Schrems II ruling appeared first on TechGDPR.