Last week I wrote about the ECJ ruling that Privacy Shield was invalid. Since then the European Data Protection Board (“EDPB”) has issued more guidance, and things are actually more difficult than they first seemed. So, this is an update and if you transfer personal data to the US it’s very important that you read it.
Since my last blog post, the EDPB and the ICO have issued more guidance, and I suspect there is more to come so watch out for blog updates or make sure you are signed up to my Insight newsletters (The GDPR and Governance one will carry these specific updates).
On Thursday 16th July 2020, the European Court of Justice found that Privacy Shield was no longer a valid way to transfer personal data outside of the EEA, though in general Standard Contractual clauses (SCC’s) were still valid.
Our Supervising Authority, the ICO, has begun to interpret this and make some recommendations. However, this advice is changing on an almost daily basis and this document is based on the information available at the 29th July 2020; it may be subject to change so please do check the latest sources for updated information:
- ICO – International transfers
- ICO – Latest statement on ECJ ruling
- EDPB – FAQ’s on invalidation of Privacy Shield
My interpretation, following a review of these documents and a telephone conversation with the ICO helpline, suggests that:
- Privacy Shield is invalid and can no longer be relied upon
- This is effective immediately i.e. there is no grace period
Moreover, the FAQ’s go on to state that SCC’s do not ensure an essentially equivalent level of protection to GDPR, when applied to the US (SCC’s may still be considered for non-US international transfers).
It would therefore seem that transfers of personal data to the US is almost impossible, unless any of the other derogations apply (binding corporate rules, consent, occasional transfers, etc).
However, this would represent such a cataclysmic change and problem that I sincerely hope the EDPB/ICO offers some practical guidance very soon – watch this space!
So what should you do?
- Have a list of which processors transfer personal data to the US, and the basis on which you could previously justify this (Privacy Shield, SCC, BCR, consent, other derogation) – this should come from your Information Audit (or RoPA)
- See what each processor is saying now (but check the evidence for their assertions too)
- Take a view after reading the EDPB and ICO guidance above
- If you are unsure, or want some help, contact me