The EU Data Protection Board (EDPB) has provided guidance to ensure data transferred outside the EU is adequately protected after the previous framework was struck down.
Privacy Shield, a set of legal standards to ensure data transfers to the US maintained high European privacy standards, was struck down in July 2020 by the Court of Justice of the European Union (CJEU) in the Schrems II court case.
This removed the legal framework used by thousands of European and American companies to move data between the two blocs. With no grace period, businesses were left with only a handful of alternatives – adhere to the far more restrictive Standard Contractual Clauses (SCCs), cease all data transfers outside the EU, or move and silo all data on EU citizens into Europe.
The new guidance from the EDPB provides six main points of advice to companies looking to export data from the EU to the US and beyond.
Firstly, the EDPB advised data exporters to ensure that they know which jurisdictions data will be transferred to. SCCs are designed to ensure that any data transferred beyond the EU still upholds GDPR standards, no matter where it goes.
As such, data transfers to countries beyond the US need to adhere to European standards, with the onus on companies to ensure the data transfers are adequately protected. This effectively bans data transfers to countries considered by the EU to be authoritarian, such as China and Russia.
“Mapping all transfers of personal data to third countries can be a difficult exercise. Being aware of where the personal data goes is however necessary to ensure that it is afforded an essentially equivalent level of protection wherever it is processed,” the EDPB guidance stated.
“You must also verify that the data you transfer is adequate, relevant and limited to what is necessary in relation to the purposes for which it is transferred to and processed in the third country.”
In addition, the EDPB recommended that companies ensure the transfer tools they use are approved under GDPR, as well as assessing third countries to ensure that that their laws do not impinge on the safeguards of the transfer tools.
“You should conduct this assessment with due diligence and document it thoroughly, as you will be held accountable to the decision you may take on that basis,” the guidance warned.
If a company finds that third country laws impinge on their transfer tool, the EDPB recommends adopting additional measures to ensure an EU standard of data protection. This includes taking formal procedural steps needed to adopt the supplementary measures.
Finally, the EDPB advises that companies regularly re-evaluate the level of protection on data being transferred to third countries.
“The principle of accountability requires continuous vigilance of the level of protection of personal data. Supervisory authorities will continue exercising their mandate to monitor the application of the GDPR and enforce it,” the guidance read.
- Leveraging training as a solution to the cybersecurity skills gap
- EC charges Amazon over unfair use of third-party data
- UK-based firms plan to bolster cybersecurity strategies post-Covid
With billions of dollars of transatlantic trade and trillions in investment at stake, smooth data flows are integral to maintaining economic cooperation between two of the world’s biggest economies.
Since the loss of the Privacy Shield framework, companies on either side of the Atlantic have been left without a key tool to ensure that data can be transferred legally.
At present, a new framework has not been decided upon and none are on the horizon. Given the contrasting attitudes of the EU and the US to both privacy and surveillance, and centralised and diffused legislation, finding an appropriate compromise is likely to be a long and bumpy journey.
As such, it is likely that SCCs, which essentially mandate a level of data protection equivalent to GDPR, will remain the main standard for EU-US data transfers for the immediate future.
Join the Debate: Data Protection 2020 Summit
Global data sharing and the repercussions of the Schrems II decision will be a key area of discussion at the upcoming Data Protection Virtual Summit on 10th December.
Hear from leading experts from across the data protection landscape and explore the crucial issues facing frontline practitioners.
Register your free place now at: https://www.dataprotection-summit.com/