Earlier this year, the ECJ (European Court of Justice) invalidated the EU–US Privacy Shield, ruling that it fails to protect people’s rights to privacy and data protection.
It followed heavy criticism from the Austrian privacy activist Max Schrems, who argued that the US government’s mass surveillance practices contradicted the protections that the Privacy Shield was supposed to provide.
The ECJ didn’t provide an alternative mechanism for conducting transatlantic data transfers, leaving many organisations unsure about how to proceed.
As such, the data privacy group noyb – led by Schrems – contacted 33 organisations to find out how they responded to the ruling.
The group asked organisations whether they were sharing personal information with third parties outside the EU and, if so, what the legal basis for that transfer is, whether those legal parties work with the US government, and, in the case of EU–US data transfers, what technical and organisational measures are in place.
How did organisations respond?
An alarmingly high number of answers indicated that organisations are not just struggling with this issue but GDPR (General Data Protection Regulation) compliance in general.
Airbnb and WhatsApp didn’t respond, and Netflix and American Express failed to provide substantial information.
Slack was evasive, saying that it did not “voluntarily” provide governments with access to personal data, without stating whether it was compelled to do so under US surveillance laws such as the FISA (Foreign Intelligence Surveillance Act) 702.
By contrast, several organisations provided comprehensive answers, with the majority saying that they relied on SSCs (Standard Contractual Clauses).
Of the 33 organisations that were contacted, 19 said they used SCCs, which are legal contracts that are widely used between the EU and the rest of the world.
They outline the terms and conditions for data transfers, and apply when organisations participate in two-way data sharing and internal personal data transfers.
Schrems’s complaints against the Privacy Shield also challenged the validity of SCCs, and although the ECJ chose not to abolish them, it did restrict their applicability.
For an SCC to be lawful, organisations and regulators must conduct a case-by-case analysis of them to determine whether protections concerning government access to personal data meet EU standards.
It’s not clear from the responses noyb received whether organisations had done this.
So, what should you be doing?
For most organisations, SCCs are the most appropriate way to make transatlantic data transfers, but if you’re not familiar with how they work or the new rules surrounding them, you will have your work cut out.
Fortunately, our EU–US GDPR Data Transfer Assessment and Action Plan makes this process easy.
We will conduct a thorough assessment of your data transfer practices and requirements, and provide step-by-step advice on how to complete data transfers efficiently and in line with the GDPR’s requirements.