The European Court of Justice, the EU-US Privacy Shield and GDPR.
While you were on a staycation you may have missed The European Court of Justice ruling in July 2020. Since the introduction of the EU GDPR in 2018 we now have laws and regulations to guide us in how we treat and manage data.
The July EU ruling states the legality of EU citizen’s data been transferred outside the EU and to US datacentres under the EU-US Privacy Shield agreement. The Privacy Shield has been ruled invalid with immediate effect. Standard Contractual Clauses (SCC’s) are still a valid international data transfer but there are considerations for users operating within these SCC’s.
According to the ruling; “Supervisory authorities are required to suspend or prohibit a transfer of personal data to a third country where they take the view, in the light of all the circumstances of that transfer, that the standard data protection clauses are not or cannot be compiled with in that country and that the protection of the data transferred that is required by EU law cannot be ensured by other means.”
The Irish Data Protection Commissioner (DPC), Helen Dixon has recently issued a preliminary order to Facebook to stop transferring personal data to the US.
The ruling stresses an obligation on data controllers to assess the privacy laws in countries outside of the EU if they wish to continue to use SCCs.
For you or your company you can start by asking;
- Do you have data transfer arrangements based solely on the Privacy Shield?
- Do you use suppliers based in the US or who host your data in the US?
- Do you use telecommunications and/or cloud-based services based in the US?
- Do you rely on SCCs to transfer data to other non EEA countries?
If you answered YES to any of the above, assessing your international data flows and the safeguards you are relying upon just moved up your list of priorities.
Some claim SCCs can no longer be used for data transfers to the US full stop. Others point to the need to check specifically whether the company you wish to transfer data to is subject to the Foreign Intelligence Surveillance Act (FISA) and/or Executive Order 12333. This permits US security authorities to access personal data without a court order.
For example, US-based telecommunications companies fall within FISA and its been argued that SCCs may no longer provide adequate protection for data transfers to these providers. This logic can be extended to others such as cloud service providers which utilise the services of the telecommunications providers.
If you require information about VMotion IT Solutions and our Irish and EU based Cloud Services, Data Security or Web services please email us at firstname.lastname@example.org