For those organisations who rely on the Privacy Shield for their transfers of personal data from the EU to the USA, the recent case of Schrems II has rather put a spanner in the works.
Max Schrems, you might remember is a privacy activist. He runs the NOYB digital rights organisation based in Vienna. He was essentially responsible for bringing the court cases that led to the demise of the former mechanism by which the Commission acknowledged that the US had adequate privacy protections in place, the so-called Safe Harbour, arrangement.
He has struck again, and his case involving Facebook Ireland has now resulted in the Privacy Shield being removed.
This means that unless controllers have acceptable alternative arrangements in place, such international transfers will be unlawful.
The alternatives are (i) the use of the Standard Contractual Clauses (SCCs) and (ii) Binding Corporate Rules (BCRs).
On the matter of SCCs, the European Data Protection Board has said that controllers will need to carry out a risk assessment to determine whether their use of SCCs will provide enough protection in the local legal framework.
The use of BCRs, (which are typically relied on in larger organisations for intra-group international transfers) involves an extra step; the controller must obtain approval of their BCRs by the relevant supervisory authority.
Because of Brexit, if you are relying on the use of BCRs and your chosen supervisory authority is the UK’s Information Commissioner’s Office (ICO) you will need to identity a new supervisory authority.
Just to add to the pressure, you will need to have both identified a new supervisory authority and obtained their approval before the end of the Transition period on 31st December 2020.
To help you assess the risk and respond quickly in these uncertain times, the EDPB has issued a guidance note or Information Note and the ICO has published an interactive tool on its website, and has undertaking to provide as much support as possible over the next months.