Do you transfer data to the US? [Privacy Shield alert]
Each year, vast amounts of personal data is transferred between the EU and the US. The European Court of Justice (CJEU) has decided that one of the legal mechanisms that enables this – Privacy Shield – is now illegal.
The ramifications are huge. The Information Commissioner’s Office (ICO) recognises that ‘international data transfers, that are so vital for the global economy, suddenly become open to question’ as a result.
Why has it been made illegal?
In summary, the laws in the US mean that the Government there can step in at any time and review data for national security purposes without notifying the data subject in advance.
How will the Privacy Shield ruling affect my UK business?
Firstly, don’t panic. There are steps you can take right now.
If you transfer data to the US using Privacy Shield, then you need to stop. We’re reaching out to our clients and talking through the implications with them. We’re affected ourselves (we’ve relied on Privacy Shield for the cascade of our newsletter), so you can be sure that we’re determined to find alternatives.
We recommend that all businesses conduct a review to understand whether you – or any of your third parties with whom you share personal data – transfer information to the US. Check to see if you or a third party use standard contractual clauses (SCCs) or binding corporate rules (BCRs) as these have also come under scrutiny. Although they have been deemed to be valid, additional measures are required if you continue to use them.
Also think about the cookies you have on your website/s. Using a free tool such as Cookiebot will help you find out if you are compliant and understand where data is being transferred to.
Next steps
In terms of good news – we’re all in this together. Thousands of organisations across Europe are impacted by this change. We’re watching and waiting for more guidance from the European Data Protection Board and the ICO. We’re also following up with larger organisations who have relied on Privacy Shield to understand what their response will be…watch this space! In the meantime, there are some other transfer methods that can be used under Article 49 (geek alert!), but this is for occasional transfer of information or if there is consent in place for transfer.
If you’d like to find out more, visit the ICO website.
If you want to talk to us about any concerns, please get in touch.