Select a region
The Deputy Information Commissioner has shared a series of tips for Jersey companies who transfer personal data to the US, after the European Court of Justice of the European Union invalidated the EU-US Privacy Shield mechanism for data transfers.
The CJEU recently found that US domestic laws dealing with access and use of personal data by US authorities to the data they hold does not provide sufficient protection in line with GDPR requirements.
It came after Austrian lawyer Maximillian Schrems filed a complaint against Facebook with the Irish Data Protection Authority to stop Facebook’s Irish HQ transferring personal data to its US parent which he believed went against European data protection rules.
To help Jersey companies involved in the transfer of personal data to the US, as well as those that use the services of US-based processors, Deputy Commissioner Paul Vane shared five tips in a blog...
SCCs are still a valid transfer mechanism and may provide a suitable alternative for you if you can satisfy yourself that data subjects can be guaranteed an essentially equivalent level of protection in the receiving jurisdiction.
For inter-group transfers, you could also consider Binding Corporate Rules, remembering that these must be approved in advance of any transfers by the JOIC.
Critically examine all your flows and identify what safeguards you have in place for transfers to non-EU jurisdictions. Also assess the level of protection offered to personal data in the jurisdiction to which you are transferring the data; look at access to the Court system and the understand the ability to seek legal recourse if things go wrong and look at the availability and powers of any regulator/ombudsman. You may also want to consider whether the authorities in that jurisdiction can access the information and on what basis.
If you use a service provider/Processor in the US, make sure the processing contract reflects the appropriate mechanism and safeguards for transferring personal data. You may also want to consider changing your provider to one that can offer an adequate level of protection for data subjects.
The European Data protection Board (EDPB) will very likely publish updates on the legality of data transfers where SCCs have been used. Keep in mind the CJEU position on SCCs may change!
Try not to rely on one single mechanism for your data transfers. Instead, try using SCCs plus another mechanism to ensure you are offering the best protection you can to the personal data you are transferring.
Comments
Comments on this story express the views of the commentator only, not Bailiwick Publishing. We are unable to guarantee the accuracy of any of those comments.