Privacy Shield: Data Transfers to the US Declared Invalid

Until recently, there was an agreement in place governing the transfer of personal data to the United States that provided adequate safeguards under the GDPR (Implementing Decision EU 2016/1250). However, on July 16, 2020, the Court of Justice of the European Union (CJEU) declared the EU-US “Privacy Shield” agreement invalid.

This affects all organizations using data services provided by U.S. corporations, such as Amazon Web Services, Google, Microsoft, Rocket Science Group (MailChimp), Salesforce, Zendesk, Zoom, and others.

It does not affect “necessary” data transmissions – such as online purchases, hotel bookings, or emails sent to the U.S. – which may still proceed under Article 49 of the GDPR. Transfers of non-personal data are also unaffected.

The issue specifically concerns outsourced data processing, particularly the use of cloud services. If your contracts with these providers include the EU’s Standard Contractual Clauses (SCCs) – as is the case, for example, with Microsoft Office 365 – a legal basis for data transfer remains valid. Such clauses require the provider to comply with EU data protection laws.

However, the fundamental conflict between U.S. surveillance practices and EU data privacy rights persists. U.S. companies remain legally obligated to disclose personal data to U.S. authorities upon request, while EU companies must ensure they maintain control over personal data.

Review your contracts with U.S.-based data processors. Many have already incorporated EU Standard Contractual Clauses. If your contracts include these clauses, no further action is required. However, if Privacy Shield was the sole legal mechanism for data transfers to third countries, you must immediately adopt the EU SCCs. Templates are availableHERE.

For further information on this topic, contact the experts at msecure, a consultancy specializing in data protection and IT security.

Source: iStock / BeeBright

Fact: GDPR fines can reach up to 20 million Euro or 4 percent of global annual turnover.

Fact: According to IBM, 95 percent of all cybersecurity incidents are caused by human error.

TL;DR

Until recently, an agreement existed allowing personal data transfers to the U.S. with adequate safeguards under the GDPR (Implementing Decision EU 2016/1250).
On July 16, 2020, the EU-US “Privacy Shield” agreement was declared invalid by the CJEU.
If your contracts with service providers include EU Standard Contractual Clauses (e.g., Microsoft Office365), a valid legal basis for data transfers remains in place.

Key Facts

GDPR Fines: European data protection authorities have issued over 4.5 billion Euro in penalties to date.

Data Breaches: 83 percent of companies experience more than one data breach per year.

Frequently Asked Questions

What penalties apply for GDPR violations?

Fines of up to 20 million Euro or 4 percent of global annual turnover – whichever is higher. Additional claims for damages by affected individuals may also arise.

What is a Data Protection Impact Assessment (DPIA)?

A DPIA is a systematic evaluation of the risks posed by a data processing activity to the rights and freedoms of individuals. It is mandatory when processing is likely to result in high risks – such as in cases of profiling, video surveillance, or processing of special categories of personal data.

Does the GDPR apply to small businesses?

Yes, the GDPR applies to all organizations, regardless of size, that process personal data of EU citizens. Small businesses benefit from limited exemptions (e.g., no requirement to maintain a record of processing activities for fewer than 250 employees if processing is not risky), but must still comply with all core principles.

More from the MBF Media Network

Header Image Source: Pexels

Print article