Schrems II a summary - all you need to know - GDPR Summary

Schrems II a summary - all you need to know - GDPR Summary: Analysis%20of%20the%20current%20situation%20using%20US%20service%20providers%A0%0A%0AOrganizations%20should%20without%20delay%20confirm%20that%20cross-border%20data%20transfers%20it%20is%20responsible%20for%20comply%20with%20the%20GDPR%20and%20this%20recent%20CJEU%u2019s%20judgement.%A0%0A%0AActing%20on%20the%20invalidation%20of%20EU-US%20Privacy%20Shield%A0%0A%0AThere%20will%20likely%20not%20be%20any%20broad%20enforcement%20of%20the%20case%20in%20the%20coming%20months%2C%20just%20like%20the%20last%20time%20when%20the%20prequel%20to%20Privacy%20Shield%2C%20the%20EU-US%20Safe%20Harbour%20mechanism%2C%20was%20invalidated.%A0%0AIf%20your%20company%20has%20business%20interests%20in%20the%20markets%20with%20more%20immediate%20strict%20enforcement%2C%20e.g.%20Netherlands%20and%20Germany.%A0%0ADo%20not%20start%20using%20the%20EU%u2013US%20Privacy%20Shield%20during%20this%20period.%0AConsider%20switching%20to%20an%20alternative%20safeguard%20%28such%20as%20the%20SCC%29.%0AStandard%20data%20protection%20contractual%20clauses%20%28SCCs%29.%0ABinding%20corporate%20rules%20%28BCRs%29.%0ACodes%20of%20conduct.%0ACertification%20mechanisms.%0AAd%20hoc%20contractual%20clauses.%0AAdditionally%2C%20it%20may%20be%20possible%20to%20use%20the%20exemptions%20that%20are%20listed%20in%20article%2049%20of%20the%20GDPR.%0AConsider%20whether%20there%20are%20non-US%20alternative%20suppliers%A0%0AWork%20required%20to%20continue%20to%20use%20Standard%20Contracting%20Clauses%20%28SCC%29%A0%0A%0AIdentify%20the%20cross-border%20transfers%20under%20your%20responsibility.%0APerform%20a%20nuanced%20analysis%20of%20the%20recipient%20country%u2019s%20level%20of%20data%20protection%20compliance%20with%20the%20GDPR.%20Are%20any%20countries%20in%20the%20Five%20Eyes%20Alliance%20involved%20%28Australia%2C%20Canada%2C%20New%20Zealand%2C%20the%20United%20Kingdom%20and%20the%20United%20States%29%2C%20then%20an%20in-depth%20analysis%20is%20required.%A0%0AHelp%20your%20customers%20and%20suppliers%20to%20verify%20the%20level%20of%20data%20protection%20that%20applies%20to%20any%20data%20exports%20under%20your%20responsibility.%20Compile%20your%20privacy%20documentation%2C%20adherence%20to%20relevant%20ISO%20or%20other%20standards%2C%20codes%20of%20conduct%2C%20any%20previous%20prior%20consultations%20from%20your%20supervisory%20authority%3F%A0%0AKeep%20track%20of%20any%20new%20and%20updated%20guidelines%20from%20the%20European%20data%20protection%20regulators%20how%20to%20use%20the%20SCC%u2019s%20and%20their%20statement%20of%20the%20legality%20of%20any%20data%20transfers%20in%20certain%20countries.%A0%0AMonitor%20any%20new%20release%20of%20a%20set%20of%20updated%20SCC%u2019s%20by%20the%20European%20Commission%20that%20will%20come%20shortly%20that%20address%20the%20risks%20identified%20by%20the%20Court%20for%20export%20into%20the%20US.%A0%0AAdd%20additional%20safeguards%20to%20the%20SCC%u2019s%20%28called%20SCC%u2019s%20plus%29%20where%20the%20exporter%20and%20importer%20regulate%20any%20remaining%20risks%20associated%20with%20the%20data%20transfer.%20Such%20other%20safeguards%20can%20involve%20additional%20technical%20controls%20and%20contractual%20obligations%20on%20how%20to%20manage%20onward%20transfers%20and%20compelled%20disclosures%20to%20authorities.%A0%0AFurther%20complications%20using%20SCC%20for%20US%20services%A0%0A%0AKeep%20in%20mind%20that%20this%20ruling%20has%20limited%20impact%20for%20most%20companies%20using%20the%20SCC%20to%20legitimize%20its%20cross-border%20data%20transfers%20when%20the%20transfers%20are%20made%20via%20their%20own%20non-US%20communications%20systems.%A0%0A%0AFor%20any%20US%20transfers%2C%20assess%20if%20the%20recipient%20organization%20is%20subject%20to%20FISA%20section%20702%20and%20Executive%20Order%2012333%2C%20which%20typically%20applies%20where%20the%20recipient%20is%20a%20communication%20service%20provider.%A0%0A%0AAdd%20additional%20safeguards%20to%20the%20SCC%u2019s%20%28called%20SCC%u2019s%20plus%29%20where%20the%20exporter%20and%20importer%20regulate%20any%20remaining%20risks%20associated%20with%20the%20data%20transfer.%20For%20US%20transfers%2C%20it%20will%20be%20crucial%20to%20include%20in%20the%20agreement%3B%20for%20example%2C%20how%20government%20requests%20for%20access%20to%20personal%20data%20must%20be%20handled%20to%20ensure%20that%20your%20organization%20has%20enough%20control.%20And%20also%2C%20technical%20controls%20to%20limit%20the%20use%20of%20the%20data%20could%20be%20implemented.%A0%0A%0AThe%20broader%20significance%20of%20the%20Court%u2019s%20criteria%20for%20global%20data%20export%A0%0A%0AApplying%20the%20Court%u2019s%20criteria%20for%20determining%20the%20recipient%20country%u2019s%20privacy%20legislation%2C%20it%20appears%20likely%20that%20the%20regulator%20holds%20the%20surveillance%20laws%20in%20the%20countries%20of%20the%20intelligence%A0alliance%20the%20Five%20Eyes%20as%20not%20adequate%20to%20the%20GDPR.%20Note%20that%20the%20Five%20Eyes%20alliance%20comprising%20Australia%2C%20Canada%2C%20New%20Zealand%2C%20the%20United%20Kingdom%20and%20the%20United%20States%29.%20Companies%20active%20in%20these%20markets%20may%20consider%20implementing%20additional%20technical%20safeguards%20to%20its%20data%20transfers%20to%20be%20on%20the%20safe%20side%20of%20enforcement.%A0%0A%0ACurrently%2C%20the%20EU%20Commission%20is%20assessing%20the%20UK%u2019s%20privacy%20legislation%20to%20decide%20whether%20to%20provide%20an%20adequacy%20decision%20or%20not%20by%20the%20end%20of%202020.%20In%20the%20absence%20of%20an%20adequacy%20decision%20come%202021%2C%20we%20recommend%20implementing%20additional%20safeguards%20to%20any%20UK%20data%20transfers.%A0%0A%0A