On July 16th, the Court of Justice of the European Union (CJEU) eliminated the EU-US Privacy Shield for lawful transfers of EU personal data to the US. Companies must now find lawful solutions embodying "supplemental measures" like those exemplified by the Data Embassy Principles described below to enable uninterrupted international data flows for business continuity. Continue reading below to learn more:
Data Embassy Principles enable ongoing, predictable operations by resolving potential disruptive changes to the $7.1 Trillion transatlantic data analytics, AI and ML economy.
Data Embassy Principles maximise lawful and ethical secondary data processing, like analytics, AI and ML using EU personal data, by technically enforcing established EU data protection principles to satisfy new requirements recently established by the Court of Justice of the European Union (CJEU) in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (Case C-311/18), “Schrems II.”
Data Embassy Principles comprise:
GDPR Pseudonymisation: Enforcing GDPR-compliant Pseudonymisation as per ENISA guidelines. This is in accordance with the new standard set by GDPR Article 4(5) requirements that technically enforce WP29 and EDPS recommendations for Functional Separation. Note that the effectiveness of these protections is able to be appealed by data subjects to an EU supervisory authority, ensuring the availability of effective judicial remedy under Article 47 of the EU Charter.
Before 16 July 2020
The EU-US Privacy Shield enabled EU personal data to flow between the EU and the US prior to Schrems II decision by the CJEU on 16 July 2020.
Data Embassy Principles address immediate, potentially highly disruptive obligations imposed by Schrems II for the global data ecosystem. Under Schrems II, without appropriate safeguards to supplement the protection of contractual protections to prevent the misuse of data technically:
Data Embassy Principles embed risk-based controls into the data, so that risk is managed wherever the data goes, even during data sharing, combining, or transforming. This approach uniquely helps to satisfy global requirements for compliant innovative data use, including the new requirements set out by Schrems II.
For more information, please read:
Situation After 16 July 2020
After the Schrems II decision by the CJEU on 16 July 2020, Standard Contractual Clauses (SCCs) and Binding Corporate Resolutions (BCRs) must be augmented with “supplemental measures” like Data Embassy principles as necessary to ensure that U.S. laws do not impinge on the level of protection provided under EU law.
US Response to Schrems II:
16 July 2020
“While the Department of Commerce is deeply disappointed that the court appears to have invalidated the European Commission’s adequacy decision underlying the EU-U.S. Privacy Shield, we are still studying the decision to fully understand its practical impacts.
We have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments. Data flows are essential not just to tech companies—but to businesses of all sizes in every sector.
As our economies continue their post-COVID-19 recovery, it is critical that companies—including the 5,300+ current Privacy Shield participants—be able to transfer data without interruption, consistent with the strong protections offered by Privacy Shield.”
EU Response to Schrems II:
17 July 2020
It is in the best interest of all parties to avoid disrupting global commerce as, in the words of the EDPB in its press release:
23 July 2020
Schrems II requires effective mechanisms to ensure compliance with the level of protection essentially equivalent to that guaranteed within the EU by the GDPR and that transfers of personal data pursuant to such clauses are suspended or prohibited in the event of the breach of such clauses or it being impossible to honour them.
"EDPB FAQ 3: Is there any grace period during which I can keep on transferring data to the U.S. without assessing my legal basis for the transfer?
Answer: No, the Court has invalidated the Privacy Shield Decision without maintaining its effects, because the U.S. law assessed by the Court does not provide an essentially equivalent level of protection as in the EU. This assessment has to be taken into account for any transfer to the U.S."
EDPB FAQ 10: What kind of supplementary measures can I introduce if I am using SCCs or BCRs to transfer data to third countries?
Answer: The supplementary measures you could envisage where necessary would have to be provided on a case-by-case basis, taking into account all the circumstances of the transfer and following the assessment of the law of the third country, in order to check if it ensures an adequate level of protection.
The Court highlighted that it is the primary responsibility of the data exporter and the data importer to make this assessment, and to provide necessary supplementary measures.
The EDPB is currently analysing the Court’s judgment to determine the kind of supplementary measures that could be provided in addition to SCCs or BCRs, whether legal, technical or organisational measures, to transfer data to third countries where SCCs or BCRs will not provide the sufficient level of guarantees on their own.
The EDPB is looking further into what these supplementary measures could consist of and will provide more guidance."
To receive information on Anonos® technology that enforces Data Embassy Principles to achieve a defensible business position and ensure continuity of business operations, please provide the following:
