What companies can do now following the invalidation of the EU-US Privacy Shield?
Practical steps forward after the demise of the EU-US Privacy Shield – We can all agree that at the heart of the Schrems II conundrum (the invalidation of the EU-US Privacy Shield by the EU Court of Justice) are overarching political issues. The ultimate resolution appears to be a political solution, but that is a very long way off. Some companies have already been receiving inquiries from their clients wanting to know what they are doing about this. Companies need to understand what practical steps they can take today.
Teresa Troester-Falk, founder of BlueSky Privacy, held a conversation with Monika Tomczak-Gorlikowska on this topic. Monika has almost 20 years of both legal and practical operational experience working in the field of privacy and data protection and is highly valued for her pragmatic perspective. You can listen to the recording here, in which they discuss practical steps to move forward while we all wait for continued guidance and clarity. The points can be summarized as follows:
There is a lot of dust to settle. In the coming weeks and months, there will be additional guidance from local supervisory authorities and the European Commission. We are all in this together.
Start with an inventory of your transfers and vendors.
For many who went through this exercise when Safe Harbor was invalidated, this may be a visceral memory. If you have 100s or 1000s of contracts in play, there will be a lot of work involved. Don’t underestimate the effort to have to remedy those contracts. It’s not a single push of a button.
Monika suggests you could start looking at the processes that your organization has in terms of contracts and procuring and managing vendors and potentially looking at what type of software and applications are being used. Try to leverage those as much as possible and potentially have this part of your organization really be involved in the remediation from the very start.
Execute Standard Contractual Clauses.
There are outstanding questions regarding the “case by case analysis” and “additional safeguards” referred to in the Ruling. And the European Commission has indicated its intent to modernize the SCCs. There is a lot of dust that will need to settle. However, leading law firm guidance suggests it is prudent to move forward and execute these clauses where they are not in place. Monika suggests that when assessing their use, consider the following:
- What are the risks to individuals? Is this HR data or is this data that potentially has the same type of aspects as the data that was part of the case?
- Look at best practices and watch for guidance in the coming weeks
- Consider which additional safeguards will enhance your contractual position (e.g., pseudonymized data, encryption)
Consider your hosting locations.
Discuss with vendors hosting locations. So many vendors by now offer options. Note, though, that this is not a magical solution. Even if the data can be hosted in Europe, simple access to that data may result in a transfer (e.g., a customer service person in India accessing the database). But, this selection may become part of your overall privacy compliance posture and will go a long way to pointing to all the measures that have been put in place.
Bolster your privacy program.
Certification to the EU-Privacy Shield required verification of adherence to 7 core privacy principles. In practice, this meant putting in place a comprehensive privacy program. Don’t stop. Keep doing that and more of it. Increasingly regulators are expecting companies to demonstrate not just a “checklist” of legal obligations but an ongoing capacity to comply. A robust privacy program will put companies in good stead to comply with multiple laws and obligations.
Ask us how we can help you review your current risks and support your practical next steps.
Follow us on LinkedIn: https://www.linkedin.com/company/blueskyprivacy/mycompany/