Here we go again… Over the past few weeks, changes introduced by the new U.S. administration have had a significant impact—too many to cover in a short post, but I’m sure most of you are aware.
One of the effects of these changes is a shift in EU-U.S. relations, and unfortunately, not in a positive direction.
A major implication of these changes is the potential impact on the ability to use U.S. cloud services and transfer personal data to the U.S. under Chapter V of the GDPR (remember, “transfer” also includes access to data from the U.S., as per the GDPR). One of the effects is a possible withdrawal by the EU Commission of the adequacy decision in respect of the EU-US Data Privacy Framework (DPF). I highly recommend reading IMY’s latest blog post on this topic for more information (link) (in Swedish).
IMY is not the only authority addressing this issue. Earlier this week, the Norwegian Data Protection Authority made a similar post where they advised organizations to have an exit strategy for what to do if you can no longer transfer personal data to the U.S. in the same way as today.
Meanwhile, IMY’s latest blog post emphasizes the need for organizations to establish a plan for another transfer tool or legal basis under Chapter V of the GDPR should the DPF decision be withdrawn. Unlike the Norwegian DPA, IMY does not explicitly recommend planning for the stop of the use of these services. Sometimes, what is left unsaid can be just as significant, but it could also be an effect of that IMY’s usually takes a cautious approach in its public statements.
Based on our experience from several Transfer Impact Assessment projects in recent years, SCCs are already the most commonly used transfer mechanism for businesses, so the revocation of the DPF may not result in too much additional work in this respect.
More concerning, many EU data protection lawyers, including myself, find that recent changes in the U.S. increase the likelihood that the U.S will be deemed inadequate for personal data transfers und Chapter V of the GDPR without taking sufficient supplementary measures (i.e U.S. will be considered having “problematic legislation” yet again). This must be considered when using the Standard Contractual Clauses (SCCs), as stated by the ECJ in the Schrems II decision.
In the context of cloud services, implementing these measures effectively is often extremely challenging. Read more from the EDPB om its recommendations on third country transfers and examples of supplementary measures.
Without adequate supplementary measures, the transfer will be deemed in breach of the GDPR. Entities engaging in such transfers may ultimately be prohibited from continuing these transfers and may face administrative fines as well as claims for damages by data subjects.
Recommendation:
- If you haven’t already, now is the time to map your data transfers and assess your organization’s exposure to U.S. service providers.
- Draft and or update your current Transfer Impact Assessments as needed.
- Assess your organization’s resilience in the event of a potential ban or, in the worst-case scenario, a complete shutdown of these services.
Prepare for the worst, but hope for the best!
We at Snellman will continue to monitor these developments. Please feel free to reach out directly, or follow our news and updates on our Digital Compliance Tracker.
