Privacy Shield being invalidated
Hi there - I'm *** from ***, a US-based company that acts as a data processor. We used your excellent GDPR toolkit to be compliant when GDPR first came out (May 2018). Recently, as I'm sure you know, Privacy Shield was invalidated. What advice can you provide on how to retain GDPR compliance going forward?
Assign topic to the user
Since the European Court of Justice “invalidated” the Privacy Shield, data cannot be transferred on the ground of the previous adequacy decision made by the EU Commission. This means that now data transfers must have another legal ground like the Standard Contractual Clauses (SCC) or the Binding Corporate Rules (BCR).
The European Data Protection Board (EDPB) issued a FAQ on the implication on GDPR compliance of the ECJ solution and stated that the data controller must take additional measure to ensure the same level of protection of personal data assured by GDPR: https://edpb.europa.eu/news/news/2020/european-data-protection-board-publishes-faq-document-cjeu-judgment-c-31118-schrems_en
The main issue is that the US data controllers are forced to comply with US law which prevails over Standard Contractual Clause. The EDPB concluded stating that the data controller should consider storing or processing data elsewhere than the US.
You can process personal data outside of the U.S. if you use cloud providers which have servers in the European Union - all the major providers like Amazon AWS, Google Cloud, Microsoft Azure, and others have that option.
You can find more information about data transfer here:3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/
You can consider enrolling in our free EU GDPR Foundations CourseEU GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course//
Comment as guest or Sign in
Aug 26, 2020