Magali Feys | Jul 20, 2020

After Schrems II: Contracts No Longer Enough For International Data Transfer

Companies relying on the EU–U.S. Privacy Shield for data transfers should swiftly implement appropriate safeguards and mechanisms to avoid the risk of having data flows suspended, as the potential costs far exceed any possible, and possibly contemporaneous, fines.

Summary: On 16 July 2020, the Court of Justice of the European Union (CJEU):

  • Declared the EU–U.S. Privacy Shield enabling trans-Atlantic data flows invalid;
  • Ruled that organisations may no longer rely on EU Commission approved standard contractual clauses alone. Rather, they must now use additional appropriate safeguards for the lawful transfer of personal data to any country not having an EU Commission adequacy decision. This captures nearly every non-EU country in the world, including the US.

The lawfulness of your international data flows, in particular between the EU and the US, now requires immediate attention.

The Issue: Modern data protection laws, like the EU General Data Protection Regulation, implicitly acknowledge the proliferation of powerful technical tools performing analysis on massive stores of personal data. They also recognise the inability of contracts by themselves to protect individual privacy rights. When confronted with these type of technologies, laws must balance them against the rights of data subjects while not stopping innovation

Contracts and policies can provide clarity as to particular actions that involve wrongdoing or inappropriate use of data. However, by themselves, they are “too little, too late” if data subjects suffer identity theft, loss of credit, denial of time-sensitive services, discrimination, etc. In circumstances where data subjects suffer these harms, there is no adequate remedy by contract/policy alone. Contract-based mechanisms and policies need complementary tools, like appropriate technical safeguards for data, to be effective.

The CJEU ruled that to enable lawful international data transfer and processing, appropriate safeguards must be used to supplement contractual provisions to ensure data protection.

Looking Ahead: Data Protection Authorities will be reviewing exports of personal data beyond the European Union/European Economic Area ("EU/EEA").

Since no grace period was announced for compliance with the CJEU decision, companies relying on the EU–U.S. Privacy Shield for data transfers should swiftly implement appropriate safeguards and mechanisms to avoid the risk of having data flows suspended, as the potential costs far exceed any possible, and possibly contemporaneous, fines.

For more information, please read After Schrems II: Contracts No Longer Enough For Data Transfer, by Magali Feys, Chief Strategist of Ethical Data Use at Anonos and founder of AContrario Law, a boutique law firm specializing in IP, IT, Data Protection and Cybersecurity. On numerous occasions, Magali has assisted the Belgian Ministry of Public Health in privacy related matters. In addition, she is also a member of the legal working party e-Health of the Belgian Minister for Public Healthcare.

 

This article originally appeared in LinkedIn.  All trademarks are the property of their respective owners. All rights reserved by the respective owners.

CLICK TO VIEW CURRENT NEWS

Are you facing any of these 4 problems with data?

You need a solution that removes the impediments to achieving speed to insight, lawfully & ethically

Roadblocks
to Insight
Are you unable to get desired business outcomes from your data within critical time frames? 53% of CDOs cannot achieve their desired uses of data. Are you one of them?
Lack of
Access
Do you have trouble getting access to the third-party data that you need to maximise the value of your data assets? Are third-parties and partners you work with worried about liability, or disruption of their operations?
Inability to
Process
Are you unable to process data due to limitations imposed by internal or external parties? Do they have concerns about your ability to control data use, sharing or combining?
Unlawful
Activity
Are you unable to defend the lawfulness of your current data processing activities, or data processing you have done in the past?
THE PROBLEM
Traditional privacy technologies focus on protecting data by putting it in “cages,” “containers,” or limiting use to centralised processing only. This limitation is done without considering the context of what the desired data use will be, including decentralised data sharing and combining. These approaches are based on decades-old, limited-use perspectives on data protection that severely minimise the kinds of data uses that remain available after controls have been applied. On the other hand, many other new data-use technologies focus on delivering desired business outcomes without considering that roadblocks may exist, such as those noted in the four problems above.
THE SOLUTION
Anonos technology allows data to be accessed and processed in line with desired business outcomes (including sharing and combining data) with full awareness of, and the ability to remove, potential roadblocks.