SEC Names New Deputy Director Of International Affairs -

Billy Xiong Reviews: Privacy Shield Is Invalid. Here’s What You Need To Do Now.

Attorney at Law Billy Xiong Lawyer Legal Xiong Xiong Billy


European Union:

Privacy Shield Is Invalid. Here’s What You Need To Do Now. “A New Age Of Data Transfers” Part I


To print this article, all you need is to be registered or login on Mondaq.com.

This blog is part of a multi-part series, “A
new age of data transfers”, which will explore the practical
implications of the Court of Justice of the European Union’s
judgement in
Case C-311/18 “Schrems
II”
.

Following the invalidation of the Privacy Shield on 16
July 2020 by the Court of Justice of the European Union, the
situation with respect to Data transfers is becoming progressively
complex.
Privacy Shield no longer constitutes a valid
basis for the transfer of personal data to the United States and
while Standard Contractual Clauses remain in force
for the time being, constituting an alternative which is in
principle legitimate for the transatlantic transfer of data, a
number of EU Supervisory Authorities (namely the Berlin, Hamburg and Dutch Data Protection authorities) have
adopted particularly critical positions. Interestingly, the ICO
posted following statement on its website: “We are currently reviewing
our Privacy
Shield guidance after the judgment issued by the European Court of
Justice
on Thursday 16 July 2020. If you are currently
using Privacy
Shield please continue to do so
until new guidance becomes available. Please do not start to use
Privacy
Shield during this period.”

Companies acting both as data controllers and data
processors must now take action in order to ensure the legality of
data transfers from the EU to the US.

Here’s what you need to do now:

5 Actions for Data Controllers

If you are a data controller, it is necessary
to:

  1. Identify transfers to the United States (e.g. in the Article 30
    GDPR Records of Processing Activities) and verify the legal basis
    that is used. If the transfer is based on Privacy Shield, a new legal basis must be
    identified (e.g. considering what is mentioned above, Standard Contractual Clauses or, where
    applicable, one of the Article 49 GDPR exceptions, for example,
    transfer necessary for the performance of a contract between the
    data subject and the controller);

  2. Proactively contact suppliers (Data Processors) to indicate
    that it will be necessary to identify a new legal basis (e.g. Standard Contractual Clauses) for the
    processing entrusted to them which involves, directly or through
    sub-contractors (sub-processors), transfers to the United States
    which until now have been regulated on the basis of Privacy Shield (e.g., considering what is
    stated above, Standard Contractual Clauses or, where
    applicable, one of the exceptions pursuant to Article 49 GDPR, for
    example, transfer necessary for the performance of a contract
    between the data subject and the controller);

  3. Once data transfers to the United States have been reorganized
    on a legal basis other than Privacy Shield,update the Records of
    Processing Activities (Article 30 GDPR) and the relevant
    information to be provided pursuant to Articles 13 and 14 GDPR
    accordingly;

  4. Verify and modify references to the Privacy Shield in the Data Controller’s
    privacy documentation (e.g. policies, procedures, contracts,
    etc.);

  5. Carefully monitor the activities of the competent Supervisory
    Authorities regarding further interpretations and practical advice
    to bring any data transfers to the United States in line with the
    decision of the Court of Justice of the European Union, and more
    generally, with the applicable data protection legislation (e.g. in
    case of invalidation of the Standard Contractual Clauses).

5 actions for Data Processors

If you are a data processor, it is necessary
to:

  1. Identify data transfers to the United States (e.g. in the
    Article 30 GDPR Records of Processing Activities) as well as those
    carried out by means of sub-contractors (sub-processors) and verify
    the legal basis used. If the legal basis is Privacy Shield, a new legal basis must be
    agreed upon with the Controller (e.g., considering what is stated
    above, Standard Contractual Clauses or, where
    applicable, one of the exceptions pursuant to Art. 49 GDPR, for
    example, transfer necessary for the performance of a contract
    between the data subject and the controller);

  2. Contact Controllers proactively to indicate that, in the event
    the processing entrusted to Processors involves, directly or
    through sub-contractors (sub-processors), transfers to the United
    States which have until now been regulated on the basis of the Privacy Shield, it will be necessary to
    identify a new legal basis (e.g., considering what is stated above,
    Standard Contractual Clauses or, where
    applicable, one of the exceptions pursuant to Art. 49 GDPR, for
    example, transfer necessary for the performance of a contract
    between the data subject and the controller);

  3. Once data transfers to the United States have been reorganized
    on a legal basis other than Privacy Shield, update the Records of
    Processing Activities (Article 30 GDPR);

  4. Verify and modify as appropriate, references to Privacy Shield in the relevant privacy
    documentation (e.g. in the Data Processing Agreements
    “DPA” pursuant to Article 28 GDPR).

  5. Carefully monitor the activities of the competent Supervisory
    Authorities regarding further interpretations and practical advice
    to bring any data transfers to the United States in line with the
    decision of the Court of Justice of the European Union and more
    generally, with the applicable data protection legislation (e.g. in
    case of invalidation of the Standard Contractual Clauses).

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Privacy from European Union

Yakir Gabay

Leave a Reply