Last month, the Court of Justice of the European Union ruled that the EU-US Privacy Shield is no longer valid due to US authorities potentially processing data transfers for the purposes of public security, defence and State security (including US surveillance programmes). This means that the levels of protection assured within the GDPR and EU Charter of Fundamental Rights cannot be guaranteed in relation to these transfers. The invalidation of the EU-US Privacy Shield means that companies relying on this as a lawful mechanism for data transfers can no longer do so, with immediate effect.
Although the ruling states that standard contractual clauses and binding corporate rules can still be used, additional supplementary measures may be required to transfer data to third countries where SCCs or BCRs will not provide the sufficient level of guarantees on their own (although no further guidance is available as yet on what these may be). Organisations are now expected to check with their third-party providers whether they are affected by relevant surveillance laws and to determine what the lawful basis is to share data with them or their sub-processors. This could include US organisations even if your data is hosted in Europe, e.g. cloud providers.
Further details on this ruling and the impact on organisations can be found in the European Data Protection Board’s FAQs.
If you require any help in this area, Evolve North can offer a review, risk assessment and remediation service to help you review your third parties, identify those that may be impacted by this ruling and identify ways of implementing additional safeguards or changing your current sharing practices to ensure these continue to be in line with European law. This will also support future planning around Brexit and how this may impact on data transfers moving forward.