"European data watchdogs have issued updated guidance in the wake of last week’s landmark ruling striking down a flagship transatlantic data transfer mechanism called Privacy Shield.
In an FAQ on the Schrems II judgement, the European Data Protection Board (EDPB) warns there will be no regulatory grace period.
The EU-U.S. Privacy Shield is dead, and any companies still relying on it to authorize transfers of EU citizens’ personal data are doing so illegally is the top-line message.
“Transfers on the basis of this legal framework are illegal,” warns the EDPB baldly. Entities that wish to keep on transferring personal data to the U.S. need to use an alternative mechanism — but must first determine whether they can meet the legal requirement to protect the data from U.S. surveillance.
What alternatives are there? Standard Contractual Clauses (SCCs) were not invalidated by the CJEU ruling. Binding Corporate Rules (BCRs) are also still technically available.
But in both cases, would-be data exporters must conduct an upfront analysis to ascertain whether they can in fact legally use these tools to move data in their specific context.
Anyone who is already using SCCs for the transfer of EU citizens’ data to the U.S. (hi, Facebook!) isn’t exempt from carrying out an assessment — and needs to inform the relevant supervisory authority if they intend to keep using the mechanism.
The rub here for U.S. transfers is that the CJEU judges invalidated Privacy Shield on the grounds that U.S. surveillance laws fundamentally clash with EU privacy rights. So, in other words, Houston, you have a privacy problem…"
Comments