Privacy Shield inadequate (Schrems Deux)

Follow-up on “Should Privacy Shield be suspended” (Update August 2020):

The Schrems 2 case ruling press release from the 16th July (Courts of Justice EU” CJEU” press release here ), so what does it mean for your data?

Firstly, the CJEU has ruled that your data, when used for commercial purposes, are subject to the same rights under EU GDPR law when transferring to any third country.

In the question of public security, defence and State security: The Court adds that this type of data processing by the authorities of a third country cannot preclude such a transfer from the scope of the GDPR. In effect, the EU US Privacy Shield is rendered useless!   In plain language, Privacy Shield is invalid because it does not provide “appropriate safeguards, enforceable rights and effective legal remedies” for your data.

What can be covered by standard contractual clauses “SCC’s” with other third countries or covered by an appropriate EU adequacy agreement, cannot now be accomplished with the USA. Although SCC’s are not entirely ruled-out, the judgement did add some caveats to using them, like:

  • The data controller should be encouraged to use “additional safeguards” to supplement SCC’s

Whom does this affect?

Privacy Shield being made inadequate does not affect all USA based companies, only those subject to FISA (Foreign Intelligence Surveillance Act) or other surveillance laws including the CLOUD Act (Clarifying Lawful Overseas Use of Data act), like Facebook, Apple, Microsoft and Google.

So what can you do?

  • Concentrate your efforts on your contracts with whom your data resides.
  • Good data privacy clauses in your contracts are still the core of good practice. What matters is your good information governance practices.
  • Do you use EU or UK based data storage and service providers? Look at your data flows and see where they exit and enter the UK.
  • Do you have clauses or safeguards in your contracts and information governance practices if you transfer data to third countries? 
  •      Review your contract clauses, amend your privacy notices, inform your customers and be transparent.

The CJEU has asked Supervisory Authorities (like the ICO in the UK) review and provide guidance on this ruling. Keep watching for updates from your Supervisory Authority.

Follow us on LinkedIn, Experts Exchange, Twitter, like and share our articles and message us if you need help!

Next: Follow-up on “No deal, not adequate”