Schrems II Ruling - The gift that keeps on giving
The Wealth Management guide to the impact of the EU ruling the EU-US Privacy Shield invalid

The Schrems II Ruling - The gift that keeps on giving (more work that is)

So here we go again, that old chestnut of sending data to the US but this time it is under the 2017 DPL.  So before you contemplate the impact, ask yourself these questions. 

  • Did your Data Protection Risk Assessment or any risk assessment evidence how you can send your data under the  EU-US Privacy Shield?

  • Obtained Clients and Employees consented to your indirect use (if you use any of the services listed at risk)?

If the answer is no to either or both, you should read on.

What is the 16 July 2020 ruling

The EU-U.S. Privacy Shield framework (“Privacy Shield”) is no longer a valid mechanism for exportation of personal data from the European Economic Area (“EEA”) to the United States. This is primarily because, in the CJEU’s view, the Privacy Shield fails to remedy two problems with aspects of the legal framework for U.S. intelligence collection: 

(i) U.S. law gives U.S. authorities the right to collect personal data about non-U.S. persons without sufficient safeguards and 

(ii) such individuals have no effective manner to seek redress against the U.S. government in U.S. courts.

The controller-to-processor Standard Contractual Clauses (“SCCs”) (which were first issued in an annex to decision 2010/87/EU) can still be used as a mechanism for exporting personal data from the EEA to outside the EEA, but only if the transferred personal data receives a level of protection essentially equivalent to that provided by the GDPR and the EU Charter of Fundamental Rights. 

The data exporter and the data importer that seek to rely on the SCCs are responsible for assessing whether the level of protection is adequate, and they must take all relevant facts into consideration, including 

(i) any additional contractual provisions that may apply to the importer, 

(ii) subsequent transfers of personal data by the importer, and 

(iii) the domestic laws applicable to the importer, including, in particular, any legal requirements that give the importer’s government access to the data, such as those mentioned in paragraph 1 above.

What services are at risk?

Microsoft In-Cloud Services: Azure, Powerforms, 365 and MS Dynamics 
(https://docs.microsoft.com/en-us/microsoft-365/compliance/offering-eu-us-privacy-shield?view=o365-worldwide)
Salesforce
WhatsApp
MailChimp
LinkedIn
EventBrite
(Many more if you follow this link https://gdprtracker.io/)

So what to do next

Do the preparation, such as identify what, who and how you will notify. Consider the adequacy of your current compliance and how easily can you identify which vendors are captured and with what data.

Businesses that currently rely on the EU- U.S. Privacy Shield framework will need to urgently identify an alternative data transfer mechanism to continue transfers of personal data to the U.S. Businesses may be able to rely on derogations provided in the Data Protection (Bailiwick of Guernsey) 2017, Law for certain transfers (such as when the transfer is necessary to perform a contract), and Standard Contractual Clauses (“SCCs”) or Corporate Rules should also be considered as alternative mechanisms.

So where there is no alternative and it forms part of the contract, think a US Custodian or US product financial provider, it is pretty straight forward.

For all other use cases, the test has to apply under the DPL and the following Sections. 

56. Transfers on the basis of available safeguards., and 57. Transfers on the basis of authorisation by Authority.  This is awaiting guidance on 4, so watch this space, this is the can-do/can't do clause. 

(4) In determining whether to authorise a transfer under this section, the Authority must take into account any opinions or decisions of the European Data Protection Board (established under Article 68 of the GDPR) issued or adopted under Article 64, 65 or 66 of the GDPR. 

59. Other authorised transfers. Commonly this is:-

d) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision in respect of the unauthorised jurisdiction,

How can we help

Amberisk undertakes DPL advisory, and also we are developing in partnership with Odoo S.A. a Cloud Platform that we can host, in-house, in the jurisdiction or where-ever else you choose to put it.
CRM, Accounting, Corporate Secretarial, HR, Event booking, Compliance, email campaigns.

Call Hayden on 07781 126058

The Global Human Rights Sanctions Regulations 2020
Finally the Magnitski Act makes it to the British Isles