One of the more operationally challenging components of the General Data Protection Regulation (GDPR), was the restriction on transferring European personal data to recipients outside of the European Economic Area (EEA). Essentially, unless an exception or some additional GDPR-approved mechanism applies, European personal data cannot be transferred to non-EEA countries unless the data is being transferred:
- within a related multinational group of companies who have adopted an internal code of conduct (called “binding corporate rules”) that applies to restricted transfers of personal data from the group’s EEA entities to non-EEA group that has been approved by an EEA supervisory authority;
- between an EEA-based data exporter and a non-EEA-based data importer who have entered into a contractual agreement that adopts a set of “standard contractual clauses” adopted by the European Commission; or
- to a jurisdiction that the European Commission has issued an “adequacy decision,” finding that such jurisdiction has adopted “adequate” data protection safeguards. As of the writing of this article, this list of jurisdictions was limited to Andorra, Argentina, commercial organizations in Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay. Importantly, up until last week, U.S. organizations that participated in the U.S. Department of Commerce’s Privacy Shield framework were also considered to have implemented adequate data protection safeguards.
On July 16, 2020, the Court of Justice of the European Union issued a judgment invalidating the U.S. Privacy Shield framework as an inadequate data protection safeguard. This means that organizations transferring EU personal data into the U.S. can no longer rely on participation in the Privacy Shield framework as providing an adequate cross border data transfer mechanism under the GDPR and will need to rely on an alternative mechanism in order to cover any transfer of EU personal data into the U.S.
While U.S. organizations often adopt multiple mechanisms to “cover” the transfer of EU personal data into the U.S., participation in the U.S. Department of Commerce’s Privacy Shield framework had historically been particularly advantageous given that the mechanism did not require a contractual arrangement with an EEA-based data exporter. Indeed, over 5,000 organizations had signed on to Privacy Shield. For more information on Privacy Shield, read an earlier blog post on this topic here.
If your U.S. organization relied on participating in Privacy Shield as its cross border transfer mechanism under the GDPR, and especially if your organization relied exclusively on Privacy Shield, now is a good time to consider the alternative forms of GDPR-approved cross border transfer mechanisms and implement any operational changes necessary. This could include, for example, and where appropriate, reviewing the Commission’s standard contractual clauses to ensure your organization can comply with the same and/or amending your organization’s data processing addendum to reflect the adoption of an alternative transfer mechanism.
Like many of the requirements under GDPR, there is no “one size fits all” solution for adopting an appropriate safeguard for cross border personal data transfers, and a variety of factors, including from who the personal data is collected, needs to be assessed. Stay tuned for future blogs on the topic of cross border transfer mechanisms under the GDPR for more guidance!