EU data protection and privacy requirements, currently established primarily in the General Data Protection Regulation (GDPR), generally restrict personal data transfers to a third country except where “where the [European] Commission has decided that [the third country] in question ensures an adequate level of protection.” (GDPR Art. 45) Even prior to GDPR this requirement was in place, and transfers to the US from the EU were covered by the Commission approved Privacy Shield framework since 2016. Privacy Shield itself came about because the previously approved framework, known as the International Safe Harbor Privacy Principles, was invalidated by the European Court of Justice in 2015.
Now, that same court has invalidated Privacy Shield. However, GDPR, including Art. 45, remains in effect, and thus any transfer of personal data from the EU to the US must take place through a valid GDPR compliance mechanism. That means that organizations which previously relied on Privacy Shield for GDPR compliant transfers will need to find a new compliance mechanism, or else face the massive potential fines and penalties associated with GDPR non-compliance. To the end, there are essentially three paths an organization which previously relied on Privacy Shield can take to restore its GDPR compliance.
First, an organization could simply wait for a replacement for Privacy Shield to be approved, and implement that replacement as quickly as possible. Just as Privacy Shield itself was a replacement for the invalidated Safe Harbor framework, it is reasonable to assume that US and EU authorities will soon work together in an attempt to create a new “enhanced” version of Privacy Shield. Indeed, you can read the Joint Statement of the U.S. Department of Commerce and the European Commission here, which says exactly that. Unfortunately, any such framework is likely to be as short-lived as its predecessors, if not more so. This is because the basis for the Court’s invalidation of Privacy Shield and Safe Harbor was not based on the legal deficiency in those frameworks, but rather in the fact that US law allows for government snooping in personal data under certain circumstances that are simply not acceptable when viewed through the lens of EU privacy laws. So not only would an organization taking this approach be exposed to potential fines for non-compliance while they wait for a Privacy Shield to be approved, they might also find that after going through whatever effort may be required to implement the new framework they are quickly back where they started and relying on yet another invalidated transfer mechanism.
A second approach could be to use other data transfer mechanisms recognized by the GDPR, and not yet invalidated by the European Court of Justice. Specifically, standard contractual clauses (SCCs) and binding corporate rules (BCRs). SCCs are used for transfers between different organizations, and are widely relied upon as a GDPR compliant mechanism. But SCCs will require renegotiating and revising all relevant agreements between organizations intending to rely upon them, which will likely be a significant effort. Even worse, while SCCs were not directly invalidated by the Court, the ruling made it clear that SCCs could not be used where EU privacy standards cannot be met. As this inadequacy in the US was the basis for the invalidation of Privacy Shield, it seems likely that the SCC mechanism could be struck down for transfers to the US in a future case. The same reasoning probably also applies for binding corporate rules, in addition to other issues with BCRs such as challenging accreditation requirements and a lengthy implementation process. Using these mechanisms in all cases for significant EU-US personal data transfers may be a temporary solution at best, and may not be worth the time and effort required.
A third approach, and the only one that is not likely to be invalidated by the courts barring an unlikely sea change in US privacy law as it applies to the government's authority to access personal data, is data localization. Data localization means storing and processing EU data within the EU, and in some cases even creating an EU subsidiary just for this purpose. If data does need to move to the US for processing, personal information in such datasets could be tokenized or encrypted in a manner which allows for assurance that US authorities could not access the data in contravention of EU privacy laws. These technical solutions can be applied along with SCCs and BCRs so as to reduce the scope and complexity of implementation, while decreasing the likelihood that the combined mechanisms would be subject to invalidation in future litigation.
The decision to implement any of these mechanisms should include a detailed understanding and documentation of the current state of personal information use cases in each system, including the business use case, and mapping data flows including all collection, processing, storage, and disclosure/sale/transmission to any third parties. A complete analysis based on the documented current state using the lens of the GDPR should then be performed based to determine which requirements apply to each use case and which transfer mechanism (or localization solution) is appropriate. Achieving GDPR compliance is not an easy process, and requires extensive privacy-specific legal, technical, and business expertise.
For this reason a comprehensive risk based approach to privacy based on a proven methodology is recommended. These regulations can be difficult and expensive to implement, so businesses often utilize outside professional services firms with specialized experience and expertise in cybersecurity and privacy. Expert consultants from firms such as Truvantis know how to apply a risk based approach to determine which controls may be applicable, and how to quickly and cost effectively implement them with minimal impact to a business. These experts can advise on how other similar businesses are addressing similar risks, as well as what changes to privacy laws and compliance may be on the horizon.