In July 2020, the Court of Justice of the European Union (CJEU) in the “Schrems II” decision invalidated the EU-U.S. Privacy Shield Framework as a legal basis for data transfer from the EU to the U.S. As a result of this immediate invalidation, the U.S. no longer has a data adequacy agreement with the EU.
The U.S. will now be treated as an inadequate “third country” for data transfers from the EU to the U.S. under the General Data Protection Regulation (GDPR). Therefore, if your company was relying on the Privacy Shield as a legal basis for cross-border data transfers from the EU to the U.S., your company must immediately find an alternative legal basis or stop transferring data to the U.S.
The Schrems II decision also requires companies who continue to do limited data transfers (in certain circumstances) to do so using an alternate legal basis like legitimate interest or the performance of a contract. When this data transfer occurs, the data controller must ensure that the U.S. data processor has “appropriate safeguards” if data transfers from the EU continue to the U.S.
This article will explore Standard Contractual Clauses, data anonymization, and data minimization as “appropriate safeguards” that companies should consider when managing data transfers from the EU to the U.S. after Schrems II in the limited circumstances mentioned above.
Standard Contractual Clauses
Even before the 2020 EU-U.S. Privacy Shield invalidation, the use of EU-approved Standard Contractual Clauses was the most widely used mechanism to transfer data outside of the EU. Standard Contractual Clauses are pre-approved clauses that businesses can add to contracts related to data transfers outside of the EU.
While the Schrems II decision affirmed Standard Contractual Clauses to be a valid “additional safeguard” for data transfer, the ruling also called upon data controllers to create specific contracts that detail the additional measures data controllers and data processors are taking to protect the data during transfer.
The data controller’s role is to evaluate whether the data transfer contract contains appropriate additional measures, detailing how the data will be secured and managed before a data transfer to the U.S. can take place (for instance, through data encryption or tokenization). If the additional measures are insufficient, the EU data controller must immediately stop the U.S. data transfer.
Data anonymization is another mechanism by which data is transferred from the EU to the U.S. without running afoul of the GDPR. Data anonymization is the removal of personally identifiable details about individuals from the data before transfer to the U.S. If an EU company can perform data anonymization before the U.S. data transfer, this diminishes data privacy challenges under the GDPR.
Data anonymization is highly recommended, but it can be a time consuming and daunting task because the creation of anonymized data sets requires the proper talent and technology.
One additional and crucial preventive measure to reduce data transfer risks is data minimization (the reduction of the amount or type of data being transferred). For each individual data transfer, EU data controllers should evaluate if the data sent to a data processor in the U.S. is necessary to perform the required task. In addition, data controllers should consider whether personal or sensitive data can be reduced to the minimum required to be transferred to the U.S.
Data minimization is highly recommended in the GDPR to help companies better cope with regulations to protect individuals’ data privacy as a long-term data strategy. As more companies embark upon ways to reduce data down to what is necessary, companies can reduce their data risk in performing data-minimized transfers to the U.S.
Although companies can explore additional measures for EU to U.S. data transfers after Schrems II, Standard Contractual Clauses, data anonymization, and data minimization are effective data strategies to evaluate future data transfer from the EU to the U.S.