Tuesday 05 November 2024
Select a region
Business

Watchdog gives US data sharing warning

Watchdog gives US data sharing warning

Tuesday 04 August 2020

Watchdog gives US data sharing warning

Tuesday 04 August 2020


The Deputy Information Commissioner has shared a series of tips for Jersey companies who transfer personal data to the US, after the European Court of Justice of the European Union invalidated the EU-US Privacy Shield mechanism for data transfers.

The CJEU recently found that US domestic laws dealing with access and use of personal data by US authorities to the data they hold does not provide sufficient protection in line with GDPR requirements.

It came after Austrian lawyer Maximillian Schrems filed a complaint against Facebook with the Irish Data Protection Authority to stop Facebook’s Irish HQ transferring personal data to its US parent which he believed went against European data protection rules.

To help Jersey companies involved in the transfer of personal data to the US, as well as those that use the services of US-based processors, Deputy Commissioner Paul Vane shared five tips in a blog...

 

1. Find another transfer mechanism

SCCs are still a valid transfer mechanism and may provide a suitable alternative for you if you can satisfy yourself that data subjects can be guaranteed an essentially equivalent level of protection in the receiving jurisdiction.

For inter-group transfers, you could also consider Binding Corporate Rules, remembering that these must be approved in advance of any transfers by the JOIC.

2. Map out your data flows

Critically examine all your flows and identify what safeguards you have in place for transfers to non-EU jurisdictions. Also assess the level of protection offered to personal data in the jurisdiction to which you are transferring the data; look at access to the Court system and the understand the ability to seek legal recourse if things go wrong and look at the availability and powers of any regulator/ombudsman. You may also want to consider whether the authorities in that jurisdiction can access the information and on what basis.

3. Re-assess your processing contracts

If you use a service provider/Processor in the US, make sure the processing contract reflects the appropriate mechanism and safeguards for transferring personal data. You may also want to consider changing your provider to one that can offer an adequate level of protection for data subjects.

4. Keep an eye on the news

The European Data protection Board (EDPB) will very likely publish updates on the legality of data transfers where SCCs have been used. Keep in mind the CJEU position on SCCs may change!

5. Provide additional safeguards

Try not to rely on one single mechanism for your data transfers. Instead, try using SCCs plus another mechanism to ensure you are offering the best protection you can to the personal data you are transferring.

CLICK HERE to read the full blog.

Sign up to newsletter

 

Comments

Comments on this story express the views of the commentator only, not Bailiwick Publishing. We are unable to guarantee the accuracy of any of those comments.

You have landed on the Bailiwick Express website, however it appears you are based in . Would you like to stay on the site, or visit the site?