Is your business transferring personal data to the United States securely?

Legal Eubdate
16 December 2020

In a connected world, personal data travel around the globe without any effort, and without you even knowing it at times. Just think of the Cloud applications you use within your company, or the service providers that have access to personal data of your employees or customers.

Your undertaking is not allowed to transfer personal data to a country outside the European Economic Area without any restrictions.  Transfer of personal data is only allowed when the destination country offers a level of protection of personal data that is equivalent to the protection offered by the European General Data Protection Regulation ("GDPR"). The same applies when the data can be accessed from outside the EEA, without being transferred.

For a limited number of countries, the protection is realised through an "adequacy decision" adopted by the European Commission. For the US, an adequacy decision was adopted in 2016: the EU-US Privacy Shield for data transfers. This framework allowed companies to transfer personal data to other companies in the United States that had been certified under the Privacy Shield.

On 16 July 2020, the Court of Justice annulled that adequacy finding with immediate effect ("Schrems II judgment" dated 16 july 2020)

What should you do?

  • Review where personal data are located within or outside your undertaking.
  • No longer transfer personal data to group companies, service providers, etc. in the United States until you have an alternative to the Privacy Shield in place.
  • Investigate what safeguards are appropriate as an alternative to your current data transfers under the Privacy Shield, such as technical solutions, standard contractual terms or binding corporate rules.
  • Review your agreements if they include the transfer of personal data based on the Privacy Shield.
  • Adjust your privacy statement if it refers to or is based on the Privacy Shield.

In the meantime, the European Data Protection Committee has published a document covering frequently asked questions about the judgment ("FAQ"). And, of course, we are available to help you with any questions you may have and with the steps you should take to mitigate the risk of incurring – potentially huge – penalties.