This blog is part of a multi-part series, "A new age of data transfers", which will explore the practical implications of the Court of Justice of the European Union's judgement in Case C-311/18 "Schrems II".

Following the invalidation of the Privacy Shield on 16 July 2020 by the Court of Justice of the European Union, the situation with respect to Data transfers is becoming progressively complex. Privacy Shield no longer constitutes a valid basis for the transfer of personal data to the United States and while Standard Contractual Clauses remain in force for the time being, constituting an alternative which is in principle legitimate for the transatlantic transfer of data, a number of EU Supervisory Authorities (namely the Berlin, Hamburg and Dutch Data Protection authorities) have adopted particularly critical positions. Interestingly, the ICO posted following statement on its website: "We are currently reviewing our Privacy Shield guidance after the judgment issued by the European Court of Justice on Thursday 16 July 2020. If you are currently using Privacy Shield please continue to do so until new guidance becomes available. Please do not start to use Privacy Shield during this period."

Companies acting both as data controllers and data processors must now take action in order to ensure the legality of data transfers from the EU to the US.

Here's what you need to do now:

5 Actions for Data Controllers

If you are a data controller, it is necessary to:

  1. Identify transfers to the United States (e.g. in the Article 30 GDPR Records of Processing Activities) and verify the legal basis that is used. If the transfer is based on Privacy Shield, a new legal basis must be identified (e.g. considering what is mentioned above, Standard Contractual Clauses or, where applicable, one of the Article 49 GDPR exceptions, for example, transfer necessary for the performance of a contract between the data subject and the controller);
  2. Proactively contact suppliers (Data Processors) to indicate that it will be necessary to identify a new legal basis (e.g. Standard Contractual Clauses) for the processing entrusted to them which involves, directly or through sub-contractors (sub-processors), transfers to the United States which until now have been regulated on the basis of Privacy Shield (e.g., considering what is stated above, Standard Contractual Clauses or, where applicable, one of the exceptions pursuant to Article 49 GDPR, for example, transfer necessary for the performance of a contract between the data subject and the controller);
  3. Once data transfers to the United States have been reorganized on a legal basis other than Privacy Shield,update the Records of Processing Activities (Article 30 GDPR) and the relevant information to be provided pursuant to Articles 13 and 14 GDPR accordingly;
  4. Verify and modify references to the Privacy Shield in the Data Controller's privacy documentation (e.g. policies, procedures, contracts, etc.);
  5. Carefully monitor the activities of the competent Supervisory Authorities regarding further interpretations and practical advice to bring any data transfers to the United States in line with the decision of the Court of Justice of the European Union, and more generally, with the applicable data protection legislation (e.g. in case of invalidation of the Standard Contractual Clauses).

5 actions for Data Processors

If you are a data processor, it is necessary to:

  1. Identify data transfers to the United States (e.g. in the Article 30 GDPR Records of Processing Activities) as well as those carried out by means of sub-contractors (sub-processors) and verify the legal basis used. If the legal basis is Privacy Shield, a new legal basis must be agreed upon with the Controller (e.g., considering what is stated above, Standard Contractual Clauses or, where applicable, one of the exceptions pursuant to Art. 49 GDPR, for example, transfer necessary for the performance of a contract between the data subject and the controller);
  2. Contact Controllers proactively to indicate that, in the event the processing entrusted to Processors involves, directly or through sub-contractors (sub-processors), transfers to the United States which have until now been regulated on the basis of the Privacy Shield, it will be necessary to identify a new legal basis (e.g., considering what is stated above, Standard Contractual Clauses or, where applicable, one of the exceptions pursuant to Art. 49 GDPR, for example, transfer necessary for the performance of a contract between the data subject and the controller);
  3. Once data transfers to the United States have been reorganized on a legal basis other than Privacy Shield, update the Records of Processing Activities (Article 30 GDPR);
  4. Verify and modify as appropriate, references to Privacy Shield in the relevant privacy documentation (e.g. in the Data Processing Agreements "DPA" pursuant to Article 28 GDPR).
  5. Carefully monitor the activities of the competent Supervisory Authorities regarding further interpretations and practical advice to bring any data transfers to the United States in line with the decision of the Court of Justice of the European Union and more generally, with the applicable data protection legislation (e.g. in case of invalidation of the Standard Contractual Clauses).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.