Privacy Shield invalid: transfer of personal data to U.S. in violation of AVG

Dutch companies frequently use tools, which store data in the United States. Think of Cloud providers, e-mail services or web hosting organizations. Until recently, the transfer of personal data to the United States was permitted, as long as the organization in question complied with the so-called Privacy Shield. However, the European Court of Justice ruled in a July 16, 2020, decision that the Privacy Shield is invalid. This means that you can no longer rely on the Privacy Shield when using tools that store personal data in the United States. If this does happen, you will be in violation of the General Data Protection Regulation (AVG). In this article you can read which measures you must take as an organization to ensure that you do comply with the AVG.

Privacy Shield & SCCs

Within the European Union (EU), the processing of personal data must comply with the AVG. The AVG provides that, in principle, personal data may only be transferred to countries outside the EU if an adequate level of protection can be guaranteed. Since privacy regulations in the United States do not offer the same safeguards as the AVG, additional conditions were laid down in the Privacy Shield agreed between the EU and the United States. As long as U.S. companies complied with the conditions in the Privacy Shield and were certified to do so, transfers of personal data from the EU to these companies were allowed. However, in a July 16, 2020 ruling, the European Court of Justice ruled that the Privacy Shield is invalid. This is because the fact that certified U.S. organizations adhere to the terms in the Privacy Shield does not prevent the U.S. government from accessing the personal data for national security purposes. The effect of the European Court of Justice ruling is that the Privacy Shield can no longer be used to justify the transfer of personal data to the United States.

Many U.S. companies now argue that their tools can still be used as normal because they use so-called Standard Contractual Clauses (SCCs). These are model contracts approved by the European Commission, under which processing of personal data outside the EU could safely take place. Indeed, the European Court of Justice has found SCCs to be valid in principle. In doing so, however, the Court has ruled that companies cannot simply assume that the SCCs guarantee a sufficiently adequate level of security. In order to determine that, one of the things to be considered is the legislation in the relevant country where the personal data are processed. As far as the United States is concerned, SCCs cannot solve the main problem. After all, they are agreements between companies, to which the U.S. government is not bound. Thus, the SCCs do not prevent the U.S. government from accessing the personal data, for example, in the context of its surveillance programs. This gives the U.S. government much more far-reaching capabilities to process personal data than governments have under the AVG. As a result, the level of protection provided by the AVG is inadequately guaranteed when sharing personal data with the United States.

The consequence of the ruling of the European Court of Justice is therefore that the use of tools that process personal data in the United States in principle violates the AVG. It is therefore important to take measures to ensure that your organization does comply with the AVG.

What steps should you take as an organization

1. Review what tools are used within your organization that process personal data.

Examples include cloud storage services, CRM packages, e-mail providers and hosting parties. All tools used within your organization for processing personal data must be recorded in a processing register. Among other things, this must also record which personal data you as an organization process, how long you keep these data, for what purpose you do this and to which parties these personal data are passed on. Keeping a processing register is mandatory under the AVG.

2. Try to find out where the organizations offering the tools used store personal data.

Once you have identified which tools you use, it is then important to consider where the organization offering the tool stores the personal data. Is this within or outside the European Union? This can often be found in the (processor) agreements concluded with the tool providers. This information must also be recorded in the processing register.

3. If a tool stores data in the United States, review:

1. Whether it is possible to have the data stored within the EU, rather than in the United States. Some tools offer this option.
2. Whether it is possible to switch to another tool provider that does store data within the EU.
3. Whether the use of the tool is really necessary and whether SCCs will be used in that case. In addition, it will have to be considered whether additional safeguards can be taken to protect privacy as much as possible, such as the encrypted storage of personal data. If this is not possible, the use of the tool in question should in principle be discontinued (subject to some limited exceptions).
4. If the use of the tool really cannot be discontinued in the short term, we recommend at least informing the data subjects whose personal data are collected about the use of the tool and establishing that further research will be conducted into the possibilities. The EDPD (an umbrella body of privacy regulators) is currently investigating the possible next steps. Until this has been clarified, you, as an organization, must do as much as possible to prevent yourself from acting in violation of the AVG, with all possible risks.

Do you have questions about the transfer of personal data to the United States or the obligations you must comply with under the AVG? If so, please contact Valerie Lipman or Annemarie van Woudenberg.