Businesses should prepare for the post Privacy Shield era now, and get binding corporate rules (BCR) and standard contractual clauses (SCC) in place for their own data protection.
Speaking on a conference call after the earlier decision around Privacy Shield being declared invalid, Cordery partners Andre Bywater and Jonathan Armstrong called the announcement “among the most eagerly awaited” in the field of data protection.
Bywater advised listeners that it is worth them doing some due diligence “to see who they are sending data to so they are fully protected.” He said he had not expected Privacy Shield to be invalidated, and it has been declared invalid due to concerns around US domestic law and the access and use of European residents’ data.
With it appearing unlikely that there will be any type of grace period, he recommended putting in SCCs where there is an issue. An SCC is an obligation imposed on both the exporter and the importer of data between the EU and third countries to ensure that data transfer arrangements protect the rights and freedoms of data subjects.
Armstrong said it may be the case that SCCs are “probably the only game in town for people” and depending on national challenges, we “could end up with the nightmare where some authorities accept SCCs and some do not.”
Armstrong explained that he does not expect a new and improved version of the Privacy Shield, and while there are more groups that have brought challenges, he is not convinced there would be any short term solution. “We are in a different world post-GDPR, and there are more powers to enforce, so Data Protection Authorities (DPAs) have to step up,” he said. He also argued that any new version of Privacy Shield would “be likely to have more teeth as a result.”
Asked by Infosecurity if BCRs are a better option, Armstrong said they have a different foundation in GDPR and are specifically there to transfer data, but this cannot be done overnight and a sponsoring DPA will need to be found to approve it and take it to other regulators, and that process could take eight to nine months minimum. “It is not a quick fix and you will need interim plans,” he said.
Looking forward, Armstrong said that had Facebook still completed data transfers last night, it could have problems and this could be an overall concern for social media companies. “Most organizations have got to react today or tomorrow and have a plan, it will not be foolproof and include communications and FAQs,” he said.
“There may be some political fudge, and there may be a ‘keep calm and carry on’ message from (vice-president of the European Commission for Values and Transparency) Vera Jourova, as she has bigged-up privacy rights and this is a difficult political tightrope for her and enforcement will be proportionate to give her a chance to create a plan, but aggrieved individuals and pressure groups are not as patient as a regulator could be.”
Bywater said regulators will be taking a much closer look at SCCs and may ask to see them and see where you transfer data, “so take a closer look at what you have in place as this is not something that will go away.”