Data transfer in compliance with Schrems Judgment 2.0
Is it legal to send personal data to the US after July 16?
On July 16, 2020, the Court of Justice of the European Union (CJEU) invalidated the agreement between the US and the EU, the so-called Privacy Shield. This agreement allowed the transfer of data from the EU to the US with the assumption that the same level of data processing security guaranteed by European Union law would be maintained. As of July 16, any transfer of data under the Privacy Shield is illegal.
In addition, the CJEU ruled that the legality of data transfers under the Standard Contractual Clauses (SSCs) depends on the level of data protection guaranteed by the destination country’s law. Any data transfer must be preceded by a risk analysis. This new legal reality applies to data transfers to all countries outside the European Economic Area (EEA) zone, i.e. to so-called “third countries.
When will the transfer be secure?
Many companies use services that rely on cloud computing. Popular cloud services including Trello, Google Drive, Microsoft OneDrive, Apple Icloud, instant messaging and video-conferencing services are likely to transfer some data (such as telemetry data) to third countries. This happens even when data storage is limited to servers located in the EU. In our view, Schrems 2.0 does not mean that from now on it is illegal to use such services. We believe that the defense of certain “types of data transfers: to third countries is still possible.
First of all, we are referring here to services where the transfer does not involve so-called content (user generated content). It is still possible to transfer telemetry data and even basic user data. Also secure are transfers that are provided with end-to-end encryption.
Another type of service that does not require additional security is so-called stateless data, i.e. data where no data storage takes place.
For other types of data, in particular so-called content, it must be demonstrated that an adequate degree of protection is provided in the destination country. Each case should be analyzed separately in terms of potential risks.
If we do not take care of the legality of data transfer to the US, or are not aware that we are transferring such data, we may be exposed to high penalties from the supervisory authority, and there may be consequences for the continuity of our business.
What to do and how we can help you:
- Verify the legality of using these services.
- For US transfer agreements covered by the Privacy Shield – we are looking for another legal basis.
- If the data is sent on an SSC basis, additional verification of the level of data protection in the destination country is necessary.
- Once you have done this, update your RODO documentation.