The Privacy Shield between Europe and the US has been declared invalid: now what!

Does your organization use, for example, a backup server in the US via Linux or Acronis or email marketing software such as MailChimp and do you invoke the Privacy Shield for the lawful transfer of personal data under the General Data Protection Regulation (hereinafter AVG)? Then you need to take action soon to avoid a fine from the Personal Data Authority!

Within the European Union (hereafter EU), the AVG applies which protects the privacy of Union citizens. When personal data is transferred to countries outside the EU, this privacy is at risk, because third countries are not bound by the AVG and thus privacy is not necessarily protected (in the same way) in those countries. However, the EU wants to safeguard the privacy of Union citizens as much as possible even outside the Union and has therefore included in the AVG that the AVG applies to the transfer of personal data to third countries. With respect to such transfers, the AVG requires that the persons whose data is transferred be offered the same level of protection as within the EU. This can be done in various ways (listed in the AVG).

In that context, for the transfer of personal data to the U.S., the European Commission had decided that European companies could lawfully transfer personal data to organizations in the U.S. that were certified under the Privacy Shield. The Privacy Shield included agreements between the EU and the US on how personal data could be transferred from the EU to organizations in the US. Organizations such as Linux, Acronis and Mailchimp are such certified companies.

Void Privacy Shield Statement

Meanwhile, the Court of Justice has declared that the Privacy Shield does not provide the same level of protection as the AVG in Europe. According to the Court, the limitations on the protection of personal data arising from the US internal regime are not delineated in a way that achieves the same level of protection as in the EU. Furthermore, individuals whose data is transferred to the U.S. do not have the opportunity to appeal to an independent body (as the Personal Data Authority does in the Netherlands) that provides safeguards with respect to the processing of personal data and supervises it.

For these reasons, the Court declared the Privacy Shield invalid. Therefore, it no longer provides a lawful basis for transferring personal data to the certified organizations. If you continue to transfer personal data to any of those organizations in the U.S., you risk being fined by the Personal Data Authority.

How can you do lawfully transfer data to the U.S.?

It is not convenient for your organizations if you now have to find another company within Europe to perform the same services. Fortunately, this is not necessarily necessary either. To avoid a fine, you can enter into an (additional) agreement with the U.S. organization to whom you transfer the data. In this agreement you can include provisions regarding the obligations of you as a data exporter and the obligations of the data importer in the US. Furthermore, you can make agreements about the liability of the parties, how to cooperate with supervisory authorities (such as the Personal Data Authority) and how to deal with any sub-processing of the personal data.

For questions on this topic, drafting the agreement or for advice on the transfer of personal data to the U.S., please contact me.