While we await the actual text of the ECJ decision in Schrems II, and based on the fact that we know from the Press Release that Privacy Shield has been invalidated, I thought I’d set out high level next steps.
Many current privacy practitioners joined in a great wave after GDPR was finalised in 2016. Many were not around when Safe Harbor was invalidated in Oct 2015. For those of us who were, the process is not at all daunting.
Firstly, the EU Commission is likely to allow breathing space for a replacement. This happened last time.
For those who choose to replace their invalidated Privacy Shield basis of extra-EU transfer of personal data without waiting for the Commission, the process is straightforward.
Identify transfers to the US. If you have run transfer projects with your clients, you may have this information on a spreadsheet. If not, you will have to do it the hard way by conducting an audit of all your client’s transfers, whether to controllers or processors, and whether directly by your client or indirectly via their processor.
Then you will have to put an alternative method of transfer in place, most likely Standard Contractual Clauses (Model Clause Contracts).
Update:
Since the press release obviously we have the full judgment. Given that the judgment states that when using Standard Contractual Clauses the third country jurisdiction has to be specifically assessed, and given that US processing was impugned because of state surveillance programs, it is likely that only processing which qualifies under Article 49 of GDPR is predictable as being definitively lawful.
#PrivacyShield #GDPR #SchremsII www.bizlegal.eu