The EU-US Privacy Shield is no more - what now?

Key takeaways:

The Privacy Shield is no more. With over 5000 organizations relying on the Privacy Shield to transfer personal data globally, they now need to find an alternative mechanism to ensure those transfers are lawful.
As CJEU decisions still apply to UK during the Brexit transition period, then similarly UK to US personal data transfers under the Privacy Shield are no longer legal
SCCs are upheld, which means they remain valid mechanisms to transfer data to third countries (including to the US) - but only if the importer (processor) can guarantee in advance the protections in the third country are compliant with the EU
If the data importer (processor) cannot verify and guarantee that, then the exporter (controller) must suspend the transfers
Regulators have the power to suspend and indeed prohibit transfers to third countries on the basis of poorly constructed SCCs that cannot guarantee protections in line with EU law (e.g. GDPR)
With the US adequacy (i.e. Privacy Shield) thrown out because of overreaching state surveillance, there are now also serious doubts around the EU Commission rushing through an adequacy decision for the UK. Therefore, the long term existence of personal data transfers from EU to UK are very much in doubt.

Many organizations are currently taking legal advice as a necessary first step in understanding the impact of this decision. However, organizations will also need review existing contracts in place with third party service providers and revise the mechanisms for executing data transfers to ensure information resilience.

BSI is advising organizations of all sizes, across all industry sectors, to review their current data transfers, in particular those organizations who transfer data between Ireland or other European countries and the US. We have outlined the following steps that will support businesses to efficiently undertake this review and allow them to assess and identify what revisions or updates need to be made:

Revise your current personal data transfers to third parties and identify those that rely on Privacy Shield or Standard Contractual Clauses.

Categorize each data transfer using clearly defined criteria. Examples of these might include:

the third party’s jurisdiction
existence of any sub-processors and their jurisdiction(s)
the scope of the data processing activity
the sensitivity of the personal data involved
the volume of data or size of data flow; and
the criticality of the processing activity to the business

Determine the impact the Ruling has on each data transfer. For example, if it relied on the Privacy Shield then this must be replaced.

Identify solutions for your business to ensure personal data transfers remain lawful. For example:

Replace Privacy Shield with sufficiently robust SCCs
Re-evaluate existing SCCs
Consider alternative derogations such as explicit consent of the data subjects (per Art 49 of the GDPR) or
Make changes to business processes and outsourcing activities.

Sectors

The EU-US Privacy Shield is no more - what now?

Conor Hogan