The main basis for data transfers between the EU and third countries without an equivalent level of data protection, the Privacy Shield, no longer exists since July 2020. Are Standard Contractual Clauses now the solution? In theory, yes, but in practice we need to look carefully at the fine print.
Companies with data transfers to countries such as the USA, China, Russia and India, are now required to examine and assess this for themselves. This is because the European Court of Justice and the European Data Protection Board hold companies responsible for the lawful use of Standard Contractual Clauses. This is a major challenge for many companies.
You should therefore take action on these points, especially when data is transferred to the USA:
In which cases do you export personal data and which service providers or subcontractors do you work with? Companies such as Google or Facebook are known to process data of EU citizens in the US. But EU-based companies also often store personal data in the US for cost reasons. This means that US authorities may have free access to this data. Read the Standard Contractual Clauses in detail.
- Adapt data protection
Remove any Privacy Shield information in your data protection and update the information about the type of data transfer. Data subjects must be informed of this in a transparent manner.
- Check legal basis
Standard Contractual Clauses between controller and recipient have been the main legal basis for US data transfers since the removal of the Privacy Shield. However, they should be assessed on a case-by-case basis for each existing data transfer and should provide for additional measures if the level of data protection is not equivalent. These may be legal, technical or organisational. You should also check whether they are implemented and complied with.
- Additional protective measures
One possibility is the end-to-end encryption of your data. This encrypts data not only during transmission, but also when it is available to the recipient in the third country. However, the key for decryption should definitely remain in the EU. Pseudonymisation of your data could also be an alternative. The pseudonymisation key should also remain in the EU in this case.
IMPORTANT: Supplement your Standard Contractual Clauses and oblige the recipient of the data to immediately stop all data transfers or delete the data if requested by supervisory authorities.
- Examine EU alternatives
Can data transfers to third countries be avoided? Are there EU providers with similar functions at comparable costs?
In the event of negative verification of data transfers, each company must weigh up for itself whether to stop processing, look for an alternative or take the risk. It is not possible to say at this stage what steps supervisory authorities will take. A blockade of US transfers could have far-reaching economic and political consequences. It therefore remains to be seen whether fines will be imposed directly or whether it will only be prohibited for the time being.