Skip to content

Brought to you by

Dentons logo

Privacy and Cybersecurity Law

Coverage and commentary on developments in data protection.

open menu close menu

Privacy and Cybersecurity Law

  • Home
  • About Us

More on Schrems II: No grace period for cross-border data flows – So moving on to next steps

By Chantal Bernier
August 5, 2020
  • Cybersecurity
  • Health Information Privacy
Share on Facebook Share on Twitter Share via email Share on LinkedIn

When the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield as a vehicle to transfer personal data from the EU to the US, last July 16, 2020, the obvious question was: “What is the transition period?” The answer is now coming from EU Data Protection Authorities in Europe: there is none. This is what companies who used to rely on the EU-US Privacy Shield should do now to bring their cross-border personal data transfers in line with European law:

  • Reassess all transfers currently occurring under the EU-US Privacy Shield to determine the appropriate legal basis for further transfer performing “data export impact assessments”, meaning, in accordance with the decision of the CJEU, assessing the specific risks of transfer to a specific country of destination and/or through a specific data importer. The test is stated at Article 44 of the GDPR that “the level of protection of natural persons guaranteed by the Regulation is not undermined.”
  • Negotiate Standard Contractual Clauses (SCCs) to govern the transfer of personal data between organizations or develop Binding Corporate Rules (BCRs) for the transfer of data among affiliates of one organization, or use individual consent where it is applicable. For example, in e-commerce, while it is not ideal, some companies may want to consider the practicality of subjecting a transaction to express consent to cross-border data transfer.
  • Obtain warranties from the organizations receiving EU data (the data importers) under SCCs or verify, in relation to their own BCRs, that they are not precluded by local law to comply with SCCs and BCRs, such as through State interference with personal data, allowed by law, in the country of destination.
  • Adopt
    • internal guidelines for their contract staff to limit cross border data transfers to countries where the SCCs or BCRs are not undermined by local law on State access to personal data;
    • apply technological safeguards, as well as guidelines for their implementation, to allow only legitimate State access to personal data for public safety reasons.   

The European Data Protection Board (EDPB), the body created by the GDPR to “ensure the consistent application of the Regulation”  is currently examining what supplementary measures – whether legal, technical or organizational measures – could be applied to transfer data to third countries where SCCs or BCRs would not provide the sufficient level of guarantees, on their own, in view of the law of the country of destination.

While guidance is being developed, organizations are still expected to address the legal basis for transfer of personal data formerly under the EU-US Privacy Shield, immediately.

Dentons is preparing material to assist its clients in this regard. We encourage you to seek advice from your privacy counsel to ensure compliance in cross border personal data flows.

Share on Facebook Share on Twitter Share via email Share on LinkedIn
Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
Chantal Bernier

About Chantal Bernier

Chantal Bernier leads Dentons’ Canadian Privacy and Cybersecurity practice group. She is also a member of the Firm’s Government Affairs and Public Policy group. Chantal advises leading-edge national and international companies as they expand into Canada and Europe, enter the e-commerce space, adopt data analytics and roll out data-based market initiatives. Her clients include ad tech companies, financial institutions, biotech companies, data analytics firms and government institutions.

All posts Full bio

RELATED POSTS

  • Consumer Protection
  • Data Breach
  • Data Transfers
  • Employee Privacy
  • Health Information Privacy
  • Privacy Rights
  • United States

FBI Warns Cyber Criminals Are Targeting Unsecured FTP Servers In The Healthcare Industry

By Peter Stockburger
  • Employee Privacy
  • Government Information
  • Health Information Privacy
  • Privacy Rights
  • United States

NIST Announces Privacy Framework Effort

By Peter Stockburger
  • Cybersecurity
  • Privacy Rights

The impact of Schrems II on Canada: No more onward transfer on the basis of the EU-US Privacy Shield

By Chantal Bernier

About Dentons

Dentons is the world’s largest law firm, delivering quality and value to clients around the globe. Dentons is a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral Network. Dentons’ polycentric approach and world-class talent challenge the status quo to advance client interests in the communities in which we live and work. www.dentons.com.

Dentons Digital

Twitter

Categories

  • Accountability
  • Canada
  • Cloud Computing
  • Consumer Protection
  • Cybersecurity
  • Data Breach
  • Data Transfers
  • Employee Privacy
  • Enforcement
  • Europe
  • General
  • Government Information
  • Health Information Privacy
  • Marketing, Cookies & Spam
  • New and Proposed Laws
  • Privacy Rights
  • Record Retention
  • Smart Cities
  • United Kingdom
  • United States

Subscribe and stay updated

Receive our latest blog posts by email.

Stay in Touch

Dentons logo

© 2021 Dentons

  • Legal notices
  • Privacy policy
  • Terms of use
  • Cookies on this site