No Grace Period for Data Transfers After PS Invalidation
There's no grace period for companies to continue transferring data from Europe to the U.S. without assessing its legal basis, the European Data Protection Board said in FAQs published Friday. Some stakeholders were hoping for a grace period after the European Court of Justice invalidated Privacy Shield (see 2007160002).
The ECJ's finding that U.S. law doesn't provide an essentially equivalent level of protection to the EU "has to be taken into account for any transfer for the U.S.,” the board said. There are some "derogations" from EU law that can be used to move data, such as informed consent and transfers necessary for the performance of a contract between a data subject and controller, it said.
After the EC decision approving safe harbor was ruled invalid, many companies were caught by surprise, said Tanguy Van Overstraeten, data protection attorney at Linklaters, in an interview. Annulment of PS should be less dramatic in its consequences because many stakeholders anticipated that situation and foresaw additional mechanisms, he said: Many companies will have to find solutions to switch to, and that takes time.
"There are workarounds to maintain data flows to the U.S.," said Stewart Room, DWF Law (London) global head-data protection and cybersecurity, in an interview. Businesses have been focused on a one-size-fits-all approach to transfer challenges via PS, standard contractual clauses (SCCs) and binding corporate rules, but haven't looked at using explicit consent from data subjects or that data can be sent if it's necessary to fulfill a contract, he said. These approaches must be handled case by case, but the burden is no bigger than that now required by the ECJ ruling on SCCs, he said.
Another workaround could be to think of data processing as simply storage, Room said. Data could be placed in a cloud and anonymized. The big question is whether U.S. surveillance affects just telcos and ISPs or whether it encompasses every online company whose traffic travels through their networks, he said.
The ECJ’s decision should prompt a careful look at defects in U.S. surveillance law for human rights, said Center for Democracy & Technology Senior Counsel Greg Nojeim. Whether policymakers engage in a meaningful examination of U.S. law, based on this decision, depends partly on how U.S. companies respond, he argued: If they press for revisions, they stand a chance. If they don’t and look for another bandage "over a gunshot wound, we will find ourselves” with an EU-U.S. agreement not much different from the one just struck down. For consumers, the decision means a “second bite at the apple” to protect their data, he said.
Everyone is watching for a PS replacement, said BSA|The Software Alliance Policy Director Kate Goodloe. It was good to see both sides recognizing the need to work together and find alternative means for transferring data, she said. It was good to see SCCs validated in the decision, she added.
“We are now working with all the Data Protection Authorities within the Board to provide maximum clarity on the consequences of the ruling as soon as possible,” emailed European Data Protection Supervisor spokesperson. The EDPB July 17 said it intends to keep “playing a constructive part” in developing a trans-Atlantic personal data transfer that benefits European Economic Area citizens and organizations, and “stands ready” to help the EC devise a new framework.