What to do after the end of the Privacy Shield? Don't count too much on Europe...

You will remember that the privacy shield, the agreement that allowed the transfer of personal data between Europe and the US, was annulled by the European Court of Justice. Shortly afterwards, the European Data Protection Board (EDPB), the European authority that groups together national data protection authorities, announced that this decision was immediately applicable and therefore that there would be no grace period.

As a result, the use of tools such as Google ads, Facebook ads, video conferencing tools such as Zoom or Teams, etc. is simply prohibited. It is clear that this decision has important consequences for European companies.

As the Privacy Shield is an agreement negotiated between Europe and the US, it was logical that everyone expected a reaction from the European authorities. The European Parliament organized a "hearing" on this subject on September 3 in the presence of European Commissioner Didier Reynders and Austrian lawyer Max Schrems, who not only initiated the procedure to cancel the Privacy Shield, but has already, through his organization NOYB, filed a complaint against 101 European companies that continued to send data to the US.

This meeting brought us several information, which we will analyze:

• The European Commission will work with the European data protection board (EDPB) to provide an "appropriate response"... In short, a number of meetings will be scheduled.
• The Commission will work on three aspects
  • Create guidelines for companies. This is indeed what all European companies are waiting for
  • Modernize the "standard clauses" that allow international transfers. A first version should be proposed in September for adoption at the end of 2020. This is a good idea, especially since these clauses date from before the RGPD. But let's remember that the Court of Justice has specified that these clauses cannot be used for transfers to the USA. And for these clauses to be adopted, the agreement of the EDPB and the Member States is required.
  • Working with the US on a "potential enhanced framework" for EU-US transfers. In layman's terms, we are in for many months if not years of negotiations. The European Commissioner recalled that the outcome of these negotiations would require legislative change in the US and that the presidential election will not make this any easier.
• Regarding the 101 complaints filed by the Max Schrems organization (NOYB), the EDPB has set up a task force so that the national authorities in charge of these complaints have a common approach. This coordination is also a request of the actors of the data protection sector. Indeed, if the fact that the RGPD is a regulation with the same text for all Member States allows a European uniformity, jurisprudence of different authorities too different would reduce to nothing this uniformity.
• The EDPB has announced that it will work on guidelines for data transfers outside Europe. Good initiative, but it is not certain that this will solve the issue of EU-US transfers.

From experience, we know that the European decision-making process is slow and that what we learned on 3/9/2020 does not provide solutions for companies regarding data transfers to US companies. Transfers are now prohibited, which poses many practical problems for European organizations, both large and small.

I can only advise companies, especially the thousands of customers of GDPRfolder to check existing contracts, identify those that allow data to be sent to US companies and see if there are alternatives.

File to follow...