The Court of Justice of the European Union invalidated the European Commission’s adequacy determination for Privacy Shield on 16 July 2020. They agreed there would be no transition period for this change. This means data shared with the US from the European Union or European Economic Area (EU/EEA) now needs additional protection to be GDPR compliant.

This is the second time the claimant, privacy advocate Max Schrems has raised this issue – he was previously responsible for the Safe Harbour agreement being invalidated in 2016, and so the new case is known as Schrems 2 [1].

Why does Schrems 2 matter?

We found that many people were not aware of the changes and were at risk of facing fines from the Information Commissioner’s Office (ICO).

If you’re a data controller, you may now be responsible if you’re found to be processing data of EU/EEA data subjects in the US without the appropriate protection.

Breaching GDPR can also harm your firm’s reputation and put customers off if you’re seen to not be taking adequate measures to protect their data.

What can you do to keep your data secure?

Audit

You need to carry out an audit to determine where your data is being processed. This might include processors (including their sub-processors), cloud-based tools, and website analytics tools (which are currently the subject of over 100 legal complaints filed by Schrems).

Understand

Then you need to work out if you have appropriate measures in place, or how you’re going to make any cross-border data sharing GDPR compliant. There are three ways to do this:

• Adequacy decisions
• Appropriate safeguarding
• Derogations

Using a Standard Contractual Clause (SCC) is considered an appropriate safeguard and is the most applicable solution in most scenarios. The law sets out a framework for you to follow and you can download the template SCC form and add to it to make it work for your business and your situation. Then you’ll need to share it with any of the companies you identified during your audit.

Your goal is to secure your supply chain, gain third party assurance and carry out your due diligence. This means you can be confident in where your data goes and pass that confidence on to your customers.

Transition

You’ll need to work alongside change management teams to create a mechanism for how you will share data. This needs to be more than a box-ticking exercise and should enable you to create living documents that can be constantly reviewed and updated.

For many firms, the Covid-19 pandemic has meant that GDPR training may have taken a back seat, but you need to make sure that everyone in your business is up to date with the regulations.

Start a conversation

Get in touch if you’d like to chat to us.

[1] – https://iapp.org/resources/article/schrems-ii-aka-schrems-2-0/

[2] – https://noyb.eu/en/eu-us-transfers-complaint-overview

[3] – https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/what-rules-apply-if-my-organisation-transfers-data-outside-eu_en

[4] – https://ico.org.uk/make-a-complaint/eu-us-privacy-shield/