The European Information Safety Board and a lot of information safety authorities in EU Member States have issued steering on the best way to safeguard EU-US information transfers post-Schrems II.

The Basic Information Safety Regulation (GDPR) and its predecessor legal guidelines have at all times relied on a fundamental key precept so far as worldwide information transfers are involved: adequacy. Any transfers of non-public information outdoors the European Union to a 3rd nation whose information safety regime is just not thought-about sufficient to guard the rights of information topics, reminiscent of the US, should due to this fact be restricted.

The goal has at all times been to make sure that the rights of EU information topics aren’t compromised when their information is distributed outdoors the area. The GDPR accommodates a lot of mechanisms for compensating shortcomings within the recipient nation legal guidelines. For US transfers, the most typical mechanisms have been commonplace contractual clauses (SCC) authorized by the European Fee, or self-certification to the EU-US Privateness Protect.

On 16 July 2020, in a case generally known as Schrems II, the Courtroom of Justice of the European Union (CJEU) issued a landmark ruling that invalidated the Privateness Protect on the idea that the US authorized regime governing entry to private information by nationwide safety businesses doesn’t comprise sufficient limitations and safeguards. The CJEU additionally held that SCCs have been sucient to guard private information, however {that a} case-by-case evaluation was required of the info safety requirements offered within the vacation spot jurisdiction.


Present steering from EU authorities, together with the European Information Safety Board (EDPB), doesn’t present a completely safe answer to complying with Schrems II. As an alternative it merely presents a protocol based mostly on a brand new key precept of GDPR: accountability. To that finish, the EDPB lists a mixture of measures that may be applied by information exporters to have efficient management over the info they transferred abroad.

Companies could enter into one of many present units of SCCs templates issued in 2001 and 2004 after which amended in 2010, and should then strengthen the SCCs with extra contractual commitments to safeguard private information, reminiscent of together with a extra aggressive obligation on information importers to inform their information exporters when they’re required to supply information entry to native authorities. To be efficient, nonetheless, native legal guidelines should enable the info importer to supply such notification to the info exporter.

The EDPB additionally means that sure organisational measures can be utilized to successfully safeguard private information post-transfer. These measures could encompass inner insurance policies and procedures that present the steps a knowledge importer can take to problem disproportionate or illegal requests by native authorities and to supply clear data to information topics. These procedures must be supported by coaching periods that take note of the specific discover and reporting necessities below the info importers’ native legal guidelines.

There are some fascinating congruencies between the EDPB’s suggestions for the best way to safe private information transfers and the US the Well being Insurance coverage Portability and Accountability Act (HIPAA), which regulates the use and disclosure of protected well being data in an effort to shield affected person privateness. For instance, de-identification performs a serious function below each authorized techniques as a method to mitigate the privateness danger to information topics. In fact, pseudonymisation doesn’t launch the events from their obligations below the GDPR, however it’ll successfully scale back the privateness danger in lots of circumstances, particularly if the info exporter retains sole management of the algorithm or repository that permits re-identification.

Along with the EDPB tips, a lot of Member States have issued their very own tips or opinions specific to well being information transfers. The German authorities have adopted a strict strategy to information transfers that prohibits digital well being functions from processing private (affected person) information in the US. The German authorities additionally explicitly prohibit using instruments or different providers offered by corporations that also depend on their Privateness Protect certification to course of private information in the US

France adopted an identical strategy to the German authorities, in response to the big media protection about using Microsoft as a internet hosting supplier for France’s centralised public well being database, the Well being Information Hub. The French Minister for Well being subsequently enacted an order banning the switch of COVID 19-related private information outdoors France.

When conducting their evaluation as required below the Schrems II ruling, information exporters within the European Union can even depend on options from courts such because the French Administrative Supreme Courtroom. In its 19 June 2020 choice analysing the dangers related to potential requests from US courts/authorities below the Clarifying Lawful Abroad Use of Information (CLOUD) Act to entry information hosted inside the European Union by an affliate of a US entity, the Conseil d’Etat opined that the CLOUD Act provisions didn’t create a serious or pressing danger for well being information safety.

Companies ought to perform a knowledge mapping train that identifies all cross border transfers.

Concerning the chance related to Part 702 of the Overseas Intelligence Surveillance Act (FISA) and Govt Order 12 333, the Conseil d’Etat dominated on 13 October 2020 that, given the essential public curiosity of sustaining a COVID 19 well being database, the dangers of entry by US authorities, though doable, aren’t critical sufficient to justify the suspension of the service and the rapid change of supplier.


Essentially the most rapid motion that companies can take is to know the extent to which well being information is transferred from the European Financial Space (EEA) to the US and different counties not deemed to have an sufficient information safety regime. To do that, companies ought to perform a knowledge mapping train that identifies all cross border transfers and the mechanism used to validate them.

As soon as these transfers have been identified, companies ought to then undertake a knowledge switch evaluation that identifies the inherent dangers and whether or not any supplemental measures must be utilized to guard the well being information post-transfer. It is very important be aware that branches or subsidiaries of US cloud service suppliers aren’t the one entities which may be coated by US surveillance legal guidelines. To some extent, an EU mum or dad firm that shops well being information within the European Union may be topic to US authorities’ entry requests if one among its affliates is established inside the European Union and has some type of management over the info. An intensive evaluation of the applicability of overseas surveillance legal guidelines to any supplier ought to thus be performed throughout a knowledge switch evaluation.

As a result of well being information is delicate in nature, companies ought to take further care when assessing what technical and organisational measures are prudent to guard in opposition to surveillance. Companies could take into account extra technical safeguards, reminiscent of pseudonymisation and encryption in transit and at relaxation, in addition to organisational safeguards like express contract provisions that allow onsite/distant audits and, if relevant, prohibitions on the sharing of information with corporations which might be topic to FISA 702.

Explicit care must also be taken the place well being information could be transferred onward to a 3rd social gathering and the place a sub-processor is used, as this can generate a provide chain danger.   e safeguards for any onward switch or use of sub-processor could should be reviewed, and any US corporations engaged in onward transfers might want to conduct a switch influence evaluation as in the event that they have been an EU-based information exporter.

In the long run, companies could take into account various mechanisms for validating information transfers, reminiscent of binding company guidelines, acquiring a certification, or adhering to a code of conduct authorized by a supervisory authority (though all of them require prior evaluation), or contemplating consent or different derogations in conditions the place they are often utilized.

Source link