Subscribe

Data Transfer Just Became More Complicated

/ 27th July 2020 /
Nick Mulcahy

The recent ruling by the EU Court of Justice invalidating the adequacy of the EU-US Data Protection Shield requires careful consideration by organisations.

The case between the Data Protection Commissioner v Facebook Ireland and Max Schrems means that the transfer of data between EU and US under the ‘Privacy Shield’ agreement is no longer possible. However Standard Contractual Clauses are upheld provided they guarantee data protections in line with EU law.

Many organisations are currently taking legal advice as a necessary first step in understanding the impact of this decision. However, organisations should also review existing contracts in place with third party service providers and revise the mechanisms for executing data transfers to ensure information resilience.

BSI is advising organisations of all sizes, across all industry sectors, to review their current data transfers, those organisations who transfer data between Ireland or other European countries and the US.

Suggested Review

The company has outlined the following steps that will support businesses to efficiently undertake this review and allow them to assess and identify what revisions or updates need to be made:

In Association with

• Revise your current personal data transfers to third parties and identify those that rely on Privacy Shield or Standard Contractual Clauses.

• Categorise each data transfer using clearly defined criteria. Examples of these might include:
˗ the third party’s jurisdiction
˗ existence of any sub-processors and their jurisdiction(s)
˗ the scope of the data processing activity
˗ the sensitivity of the personal data involved
˗ the volume of data or size of data flow
˗ the criticality of the processing activity to the business.

• Determine the impact the ruling has on each data transfer. For example, if it relied on the Privacy Shield then this must be replaced.

• Identify solutions for your business to ensure personal data transfers remain lawful. For example:
˗ replace Privacy Shield with sufficiently robust SCCs
˗ re-evaluate existing SCCs
˗ consider alternative derogations such as explicit consent of the data subjects (per Art 49 of the GDPR) or
˗ make changes to business processes and outsourcing activities.

Alternative Mechanism

Conor Hogan (pictued), global privacy practice lead at BSI explains: “The flow of data between jurisdictions across the globe is continuing to grow. Organisations that have relied on Privacy Shield to transfer personal data to the United States, now need to find an alternative mechanism to ensure those transfers continue to be lawful.

"While SCCs have been upheld by the CJEU, and they remain valid mechanisms to transfer data to third countries including to the US, and a ‘Brexited’ United Kingdom, this is only the case if there are guaranteed and verifiable protections for the personal data in line with EU laws, like the GDPR and Charter for Fundamental Rights.”

“The court also expects regulators, for example the Data Protection Commission in Ireland, to suspend and prohibit transfers on a case-by-case basis where SCCs cannot guarantee protections in line with EU law."

Hogan added that following the ruling BSI is encouraging businesses to review their existing data transfers and make the necessary adjustments to ensure continued compliance.

Hogan added: "Monitoring the evolving nature of the global data protection landscape is a critical requirement for maintaining ongoing compliance. Carrying out regular assessments of third-party data processors, and agreed contractual agreements, can ensure data protection rights are protected, and information resilience is maintained and strengthened.”

 

Sign up to The Business Plus Panel to help shape the business decisions of tomorrow and win vouchers for your opinions! 
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram