At a stroke, the ECJ ruling on Data Transfers strikes down the EU-US privacy shield, finding it inadequate in protecting an individual’s rights for data transfers from the EU to the US.
As cross border data transfers become an increasingly vital part of trade and business, modern privacy regulations, including the GDPR oblige firms to safeguard the transfer and processing of personal information they control. Many firms comply with their data transfer obligations under the GDPR by enforcing Standard Contractual Clauses (SCCs), large multinationals may use Binding Corporate Rules internally, and more than 5,000 companies used the EU-US privacy shield for transfer between the EU and the US.
At a stroke, the ECJ ruling on Data Transfers strikes down the EU-US privacy shield, finding it inadequate in protecting an individual’s rights for data transfers from the EU to the US. Going further, and perhaps with more far reaching consequences, the ECJ finds that companies must carry out case-by-case analyses on whether SCCs provide adequate guarantees, and whether they need to be supplemented by additional safeguards.
Data Protection Officers will need to act fast to protect their firms from fines or open to individual compensation claims resulting from this change in regulation. So, what should businesses do?
Review your inventory and data maps to identify hotspots. Involve the right stakeholders such as Business, and IT teams to identify the data impacted and reassess your cross-border data transfer arrangements to understand whether existing safeguards are still enough. Your Article 30 inventory should already give you visibility of the data transfers being undertaken in your organization and the controls in place on those transfers. Document for each country whether changes in data transfers or contractual arrangements for those transfers are required, including the US and other countries with poor data protection in general or under national security laws. If you are using Privacy Shield for your US data transfers this will need to be changed, but transfers to other countries need to be considered as well.
Focus on engaging your cloud providers. Many firms have already been considering their cloud provision in light of the US Cloud Act, contracting EU cloud capacity to enable local data processing. Cloud providers themselves have also been expanding their offering of local data hosting or moving the location of hosting in response to privacy concerns, for example, moves out of Hong Kong considering the Securities and Futures Commission’s proposed access to customer banking records.
Review the use of Standard Contractual Clauses (SCC). The ECJ has indicated that use of Standard Contractual Clauses needs to be evaluated. Organizations must carry out case-by-case analyses on whether, for each transfer in question, the SCCs in place provide adequate guarantees, and if not whether the transfer is allowed under an article 49 derogation for transfer (e.g. consent or contract) or if current SCCs need to be supplemented by additional guarantees in order to comply. The European Data Protection Board (EDPB) is looking further into what these supplementary measures could consist of and has committed to providing more guidance, which should be used as an input in your process.
Assess your third parties. Remember that you are equally liable for the data transfer arrangements of your third parties, and a number of firms are likely to be reliant on the EU-US privacy shield for the transfer of data to the US. Conduct a risk-based review of your third-party inventory considering the processes in which they are involved and their likelihood of impact under this ruling. Begin engagement with third parties to understand their plans to comply and update contractual arrangements where required. This could also be a good opportunity to review your third-party contract remediation work, as many organizations had only focused initially on their high-risk third parties, and there might be a gap for medium and low-risk third parties who are transferring data across borders.
Cloud providers can either be a compliance risk or an easy way to enable compliance with the ECJ ruling by moving to host location arrangements. Also bear in mind, that cloud providers come in different sizes and shapes, and so a deep dive needs to be conducted to understand the cloud provider landscape in your organization.
Increase the use of local data processing. The ECJ judgement is just one example of a broader trend within the global privacy and regulatory environment that is making it more difficult to transfer data across borders. The ECJ has indicated that it expects DPAs to take a tough stance on the transfer of data outside of the EU without the consent of the individual or where the transfer is not clearly necessary. Likewise, consolidating data within the EU from abroad creates GDPR obligations for non-EU data, remember that Cambridge Analytica was fined for failure to comply with a GDPR access request from a US resident. Given increasing restrictions on the transfer of personal information across borders, between the EU, US, Russia, India, China and other and the risks that these transfers create, DPOs should increasingly work with the business to understand where data processing can be delivered locally, and transfer avoided.
With these practical actions, DPOs can identify the scale of the impact of the ECJ ruling on their data transfer provisions. Identifying where a switch to SCCs is required, and manage their third-party risks, who may not be as prepared but create as much of a liability as an internal activity. Thus, preparing their organizations for a future of increasingly local data processing, given the new questions that will be asked of the data controller and the increased responsibility to prevent third country access. The wider impact of the ECJ’s ruling will become apparent over time, but for each individual firm and DPO practical management of the risk should start today.
Sharad Patel and Richard Watson-Bruhn are data privacy experts at PA Consulting