EU-US Privacy Shield invalidation

EU-US Privacy Shield invalidation business implications

On 16th July, the Court of Justice of the EU delivered a ruling in the case known as Schrems II by which it invalidated EU-US Privacy Shield and confirmed the validity of Standard Contractual Clauses, with caveats.

After the CJEU’s Advocate General Henrik Saugmandsgaardøe published his opinion in the so-called ‘Schrems II’ in January, now the CJEU has delivered their judgement, pursuant which Privacy Shield is declared invalid and SCC remain valid but can only be used under strict conditions.

What did the Court say?

Two important outcomes derive from the judgement issued by the CJEU:

1.The EU-US Privacy Shield is no longer a valid mechanism for international data transfers from the EU to the US.

It is important to note that it was invalidated with immediate effect. The main reason are US surveillance programmes. According to the CJEU, US surveillance programs are not limited to what is strictly necessary and proportional as required by EU law, plus there are no effective legal remedies in the US to ensure compliance with provisions of EU law when EU data subjects’ data is used for national surveillance programs.

2.SCC but with some important caveats.

It is no longer sufficient for a data exporter and data importer to just sign the agreement, the exporting party must do a factual assessment of whether the contract can actually be complied with in practice. Companies must verify, on a case-by-case basis, whether the law in the recipient country ensures adequate protection for personal data transferred under SCC. Where this is not the case, as it happens in the US, supplementary measures and additional safeguards should be implemented in order to attain the required level of protection; otherwise the transfer should be ceased. 

National Data Protection Authorities may suspend or prohibit transfers to third country if appropriate safeguards cannot be ensured. Based on the CJEU findings in respect of the Privacy Shield, it is difficult to see how supervisory authorities would be able to avoid such a conclusion in the case of transfers to the US. National Data Protection Authorities responses to this decision are yet to be seen.

What does the EDPS say?

On 17th July and following the CJEU ruling, the EDPS, which together with the EDPB had previously expressed their criticisms of the Privacy Shield, released their statement where they welcomed the Court reaffirmation of the importance of maintaining a high level of protection of personal data transferred from the European Union to third countries. However, they trust that “the United States will deploy all possible efforts and means to move towards a comprehensive data protection and privacy legal framework, which genuinely meets the requirements for adequate safeguards reaffirmed by the Court”.

What does the UK Government say?

The UK government intervened in the case, arguing in support of the validity of standard contractual clauses. In their response, they point out their commitment to ensuring “high data protection standards and supporting UK organisations on international data transfer issues”. They have announced that they are working alongside the ICO and international counterparts with the purpose of addressing the impacts of the judgment and ensuring that updated guidance on international data transfers will be provided soon.

EU Data Protection Authorities like Irish Data Protection Commissioner and three in Germany (Federal DPA, DPA of Hamburg and DPA of Rheinland-Pfalz) have also issued their statements. Other European DPAs are expected to do it soon.

What should I do now when transferring data from the EU to the US?

Where relying on the Privacy Shield:

  • Do not enter into any new agreement governed by the Privacy Shield.
  • Review all your current contracts, especially legacy ones, with your providers, clients or third-party processors and identify those that rely on the Privacy Shield. They should be amended to add SCC or any other valid safeguard covered by the GDPR for international data transfers.

Where relying on SCC:

Although the ICO and other national Data Protection Authorities are expected to produce detailed guidance soon, according to CJEU, when transferring personal data to third countries relying on SCC you should:

  • Make sure that security and technical measures which provide an adequate level of protection of personal data are actually implemented. You may need to review or at least ask for further information about the data importer’s technical and security measures plus consider whether additional measures should be specified to strengthen security, like tokenization and encryption.
  • Reinforce your accountability processes. Do not simply sign an appendix to your contracts including SCC, rather but have a closer look at the actual security measures and other mechanisms used by the importer, plus the actual situation in the importing country, especially regarding surveillance.

What can we expect in the near future?

It is expected that guidance will be issued from the European Commission as well as the European Data Protection Board. Apart from that, the EU may decide to renegotiate a new version of Privacy Shield that gives EU data subjects stronger privacy rights under US surveillance laws. Likewise the US came up with the Privacy Shield ten months after the Safe Harbor was declared invalid, so one could now hope for them to put in place a new mechanism which to address the CJEU’s concerns. On another note, SCC may be updated for GDPR soon.

Do you make international data transfers to third countries? Are you affected by Schrems II decision? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We also offer CCPA compliance servicesContact us today.

privacy considerations for video conferencing

The Age of Remote Meetings: Privacy Considerations for Video Conferencing.

In the age of remote work meetings, what are the privacy considerations for video conferencing for remote workers and employers?

 

We are in the age of remote meetings and interactions as social distancing became our new normal almost overnight, and this has brought with it a dependence on video meetings and the importance of privacy considerations for video conferencing. It is something we all think about, as we hop onto yet another video call, especially having seen news circulating on the issue. Communication technology companies like Zoom have been in the forefront of news and blog articles on the topic of privacy, as increased use has exposed hidden issues, and companies are forced to make changes to their policies and software to ensure compliance with national and international privacy regulations. Ian Hulme, the ICO’s Director of Assurance recently published guidelines and advice on navigating this new normal – the age of remote meetings for employers, business owners and managers.

 

Privacy and Security Settings.

 

One of the most important privacy considerations with regard to video conferencing is that of transparency. As with any other communication, users need to know how their data will be processed and must have choice and control in the matter. Restricted access, passwords and other privacy and security features like controlling who can share screens should be considered and communicated to employees before starting video conferencing.

 

Phishing Risks

 

Security can be compromised in video chat with phishing links and live chat features. While many of us are able to identify phishing links sent in emails, some people are being introduced to video conferencing for the first time in this era of remote meetings, or are simply not too familiar with video meetings. They are therefore not aware enough to spot phishing which may happen through a remote meeting. It is imperative that we remain vigilant against possible phishing by malicious users. Unexpected links should not be followed, especially when coming from an unrecognised source.

 

Video Conferencing that matches Company Policies.

 

Ian Hulme, director of Regulatory Assurance at the ICO, advises that video conferencing technology is checked against a company’s policies to make sure that they align. While many organisations quickly find solutions to their sudden need to function remotely with several employees spread over the city, country or globe, it is important to double check the tools that we resort to, to make sure that they match organisational policies.

 

Up-to-date Software.

 

Keeping up to date with software is one of the most effective security measures that we can take. Outdated software puts our data at risk. If using video conferencing apps, we need to ensure that all available software updates are applied regularly. If accessing video conferencing software through the web browser, the software for the web browser must also be kept up to date to protect data. 

 

As with any business decision, the organisation’s decision on video conferencing solutions should be re-examined from time to time, to make sure that it is aligned with its policies and needs, and with any updates to laws and external policies.

Do you need assistance with the appropriate safeguards and policies that should apply to organisational video conferencing? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcingContact us today.

statement on privacy implications of mergers

EDPB Releases Statement on Privacy Implications of Mergers.

The European Data Protection Board released a statement last month on the privacy implications of mergers.

The European Data Protection Board has expressed concern over the privacy implications of mergers upon becoming aware of the intention of Google LLC to acquire Fitbit Inc. The board is primarily concerned that this may put a major tech company in the position to acquire even more sensitive personal data about people in Europe, and this could cause a high level risk to the fundamental rights to privacy and the protection of personal data. The EDPB has stated before that it is imperative that we assess longer-term implications of significant mergers like this, on consumer rights and data protection. In the statement, the EDPB reminds the parties of this proposed merger to assess and mitigate any possible risks of this merger to the rights to privacy and data protection before notifying the European Commission of the proposed merger.

“The EDPB therefore reminds the parties to the proposed merger, in accordance with the principle of accountability, of their obligations under the GDPR and to conduct in a transparent way a full assessment of the data protection requirements and privacy implications of the merger” The board will itself consider the implications that this merger may have for the Protection of personal data in the European Economic Area and, while remaining vigilant on this and similar cases in the future, stands ready to contribute its advice on the proposed merger to the Commission if so requested.

In a 2018 statement, considering the acquisition of Shazam by Apple, the EDPB warned that increased concentration in digital markets could potentially threaten the level of data protection and freedom enjoyed by digital consumers, and advise that independent data protection authorities may aid in the assessment of such an impact on the consumer or society. They also added that “This assessment, as well as the identification of conditions or remedies for mitigating negative impacts on privacy and other freedoms, may be separate to and independent from, or integrated into, the analysis carried out by competition authorities during their assessment under competition law. “

When it comes to sharing customers’ data in this context, margers might be the suitable way to go, because they imply that the controller entity does not change. All other ways would need to be extremely transparent and give the involved users a chance to object. However, if the controller becomes part of a corporate group, the data could be shared within the group subject to a legitimate interest assessment (LIA). This should be done on a case-by-case basis anyway, as the LIA might not pass the proportionality test always.

According to Cristina Contero Almagro, Aphaia’s Partner, “the assessment of the data protection requirements and privacy implications of the merger should cover, as one of its main elements, a full evaluation of the security measures that are in place in the other company, not only the current ones, but also those implemented during the previous years. The data breach suffered by Marriott last year is a good example that shows the relevance of properly checking and monitoring the security measures before going ahead with an acquisition or a merger”.

Do you have questions about how a merger or an acquisition may impact data protection in your company? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.