The CJEU recently invalidated the Privacy Shield that allowed you to secure the transfer of personal data to the United States. The guarantees put in place in terms of data protection were deemed insufficient. Don’t panic; this was expected. You can sign standard contractual clauses with your suppliers. This is our legal news of the day.
Why does the Privacy Shield no longer protect data transfers to the US?
Data transfers outside the European Union are pretty a program.
First, there was Safe Harbor, then the Privacy Shield. The European Commission has twice sought to secure the transfer of personal data to the US by granting them an adequacy decision.
Through this type of decision, it recognizes that by its internal legislation and the international commitments it has made, the state in question provides a level of data protection comparable to that offered within the EU.
But not just anyone is adequate.
The Court of Justice of the European Union has annulled the Safe Harbor Principles and has now broken the Privacy Shield as of July 16th.
The proposed guarantees were not sufficient. This is not a surprise. But for many economic players, it was an easy way to deal with this issue when choosing an American service provider.
How to secure your data transfers to the US? Here are our tips on the subject:
Check the EDPS website to understand these transfers; Establish or update the list of your suppliers transferring personal data to the United States; Sign standard contractual clauses with your subcontractors.
These legal commitments will not be sufficient in themselves. The CJEU requires you to conduct a risk analysis and ensure that the regulations to which your provider is subject will not prevent them from complying with the content of these clauses or the GDPR.
Limit transfers to the bare minimum through technical and organizational measures that regulate the transit and access to data from the United States.
Some examples: are local data hosting solutions in the European Union, encryption, and data anonymization… Take note of the EDPS FAQ and stay vigilant.
The EDPS is expected to issue a recommendation on additional measures to take. An evolution of the standard contractual clauses is also possible.
Finally, the Noyb association has announced that it is filing a complaint against 101 companies, including several French ones, for transferring data to Google and Facebook despite the CJEU ruling. The Axeptio tool lets you list your subcontractors by providing information on their compliance: name, transfer country, and protection mechanisms used…
To comply with this critical CJEU decision, Axeptio has removed the United States from the list of countries benefiting from an adequacy decision. Therefore, you can no longer secure your data transfers through the Privacy Shield.