It has been just over a week since Privacy Shield was invalidated, but it feels much longer. Like many privacy pros, I have spent several hours participating in webinars (thank you IAPP) and working with clients to address how to legally accomplish data exports. My clients’ question is consistent, “What do I do now?”
Privacy pros, including the European Data Protection Board (EDPB), are determining how organizations may proceed. It will need to be an individual approach for each organization, as each business has unique processing and legal/regulatory obligations they must meet.
Advice given so far from the EDPB (which was also reflected by Helen Dixon, Irish Data Protection Commissioner in an IAPP webinar) focuses on the use of Standard Contractual Clauses (SCCs) for cross-border data transfers to non-adequately protected countries. While derogations may be used in non-routine processing situations and binding corporate rules or ad hoc contractual clauses are not a short term option, this approach is sound.
There are, however, things to consider. The EDPB provided some initial guidance on July 17 including:
- “The assessment of whether the countries to which data are sent offer adequate protection is primarily the responsibility of the exporter and the importer, when considering whether to enter into SCCs. When performing such prior assessment, the exporter (if necessary, with the assistance of the importer) shall take into consideration the content of the SCCs, the specific circumstances of the transfer, as well as the legal regime applicable in the importer’s country. The examination of the latter shall be done in light of the non-exhaustive factors set out under Art 45(2) GDPR. ”
- “If the result of this assessment is that the country of the importer does not provide an essentially equivalent level of protection, the exporter may have to consider putting in place additional measures to those included in the SCCs. The EDPB is looking further into what these additional measures could consist of.”
- “The CJEU’s judgment also recalls the importance for the exporter and importer to comply with their obligations included in the SCCs, in particular the information obligations in relation to change of legislation in the importer’s country.”
There is more to come from the EDPB.
Using Standard Contractual Clauses
The first point listed above puts the burden on the exporter to assure that EU data subjects personal information is being appropriately protected by the importer. For a U.S.-based processor, a high hurdle exists to assure EU exporters that governmental surveillance is not exposing EU data subject’s personal information. Remember to take into account your subprocessors especially cloud providers!
The second point is reassuring…we are all in this together. It is possible to add protections to SCCs that will potentially allow exporting of data to the U.S. The EDPB will be providing guidance as to what additional safeguards are acceptable to protect exported personal data.
The last point is interesting to me. It reflects a perception, possibly a reality, that organizations agree to SCCs and then file them away. The message is clear…as your organizational practices change and as legislation changes, an importer must find a way to assure exporters that compliance with the SCCs remains in place.
I know it is difficult, but, as I said above, don’t panic. You may already be receiving requests from those organizations with whom you share or receive information asking how you will replace your Privacy Shield registration. I suggest to delay your decisions until we get some additional guidance from the EDPB.
In the meantime, if you have not done so already, begin reviewing the SCCs and determine how your organization can comply with the terms. As you do this, or if you have SCCs already in place, it is time to think about a compliance review to be sure you meet your obligations under the SCC.