Probably everyone now has, at least, heard about the EJC sentence called Shrems III that basically rules out the possibility to use Privacy Shield infamous agreement to allow data transfer between EU and USA based on the fact that the USA does not provide enough guarantees EU data will be protected.
If you don’t know (but you should) here my previous article:
https://thepuchiherald.com/2020/07/17/ops-privacy-shield-bye-bye/
After the sentence one of the question was: what now?
Will a Grace period be offered to survive this? (lot of companies were transferring data using privacy shield to USA)
And most of all does SCC will be enough?
The answer my friend, is blowing in the wind...
er no actually there have been some FAQ form the EDPB that should call to action fel local authorities.
According to the new FAQs of the European Data Protection Board on #SchremsII decision, if you want to transfer personal data to the US under the SCCs or other means, you will have to notify the data protection supervisory authority. This approach will oblige companies to perform a massive amount of work since the notification will have to be definitely accompanied by an assessment as to the adequacy of the data transfer mechanism. Are companies and SA ready to handle this large amount of work?
While some Authorities do have not yet reacted (and this is not a surprise for Italians, I am afraid) some others (wonder who) have made a statement that clarifies the doubts that can eventually rise up and not solved by the EDPB’s FAQ.
The Conference of German Supervisory Authorities (DSK) issued its statement yesterday about the consequences of the #Schrems II judgment that, as we can imagine, is completely aligned with the EDPB position. There are some points that are critical on the matter:
Data transfers based on the Privacy Shield are no longer allowed and all companies must immediately suspend them
This is a critical point since I am quite sure there are companies that do not even know their data were delivered to the USA under Privacy Shield. I would like to remind you that if an audit from the authority knock at your door something like: “I don’t know”, “I don’t remember” will not save you. GDPR requires that you, company, prove you have done your duty in a concrete, effective way, so not paper compliance here allowed. Just to make life easier I would love to remind you also that this is not just the German way, and sooner or later the other authorities will align with such requirements.
Transfers based on the SCC require an assessment of the adequacy of the context and the supplier
And here we have the headache since it is not “optional” the assessment is mandatory. This comes as an obvious consequence to the fact in the EDPB FAQ it is written to be allowed SCC’s transfer should be communicated to the authority. Now this means, for some of you so naive that was thinking, I can send a mail to the authority telling, “hey chap I use SCC do not worry” does not work like this. For some reason they want you to prove you did your duty.
The use of SCC for the transfer of data to the United States, in the absence of additional guarantee measures, it is not sufficient to legitimize the activity
And of course, if you send your data to a country that does not guarantee the privacy of EU citizens and residents, well, your duty is kind of complex. And let be clear and brutally honest (while usually I am obscure but kind rotfl) this will require the active cooperation of the vendors that offer you services because you need solid proofs and not just paperBS.
There is no “grace period”
And this means you need to do this right fucking now.
And just for the sake of my Italian fellow countrymen, this means that even if our authority is under a sleeping spell and did not react yet, you have to act nevertheless because again an audit will knock and you will have show you’ve done the right thing. But the “garante” did not tell us nothing will not be an excuse to avoid non-compliance (with the relative consequences).
Time for DPO to start working and earn their money 😂🤣 (Is a joke I know many DPOs already do something)
Share this:
Related Posts via Taxonomies
To the official site of Related Posts via Taxonomies.
Shrems II, Data transfer, and the USA: wheels are rolling. by The Puchi Herald Magazine is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Related posts:
Guida al GDPR per chi non ne vuol sapere: dice il controller “lei non sa chi sono io”
Privacy Impact Assessment
Guida al GDPR per chi non ne vuol sapere: raschia raschia rimane il rischio ?
Etica e DPO, un difficile rapporto?
Garante & email: se 7 giorni vi sembran pochi
Powered by YARPP.
being on the old side of the pond, in the EU, I understand why USA people do not actually understand the reasons for EJC ruling. This is less political (no government is enjoying this situation) but mostly technical, we should consider we are a land of roman law (ruling out the UK) against a land of common law🤣 and this is something we should always consider. Privacy experts at this side of the pond were not surprised by this development. So setting it was not unexpected I agree with being Proactive and basically would worth having a bipartisan approach on how to make possible audits and validate those SCC in a way that would minimize the risk for EU citizen and resident data. This is at the moment something does not make any sense to wait for, since DSK clearly explained there is no grace period. GDPR allows, if reasonable, to have a process in place to correct a non-conformity, and I do not think there will be authorities that will simply apply fines to anyone who was relying on privacy shield services or SCC ones, but they will have to be able to demonstrate they were starting doing their complex due diligence and can’t stop operation in the meanwhile.