New rules on transfers of personal data to non-EEA countries

Based on the judgment of 16 July 2020 (Case C-311/18, hereinafter: the Judgment), the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield framework, i.e. Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the US personal data regulations. Essentially, CJEU held that the Privacy Shield does not provide the appropriate level of personal data protection, since the US public authorities (supervisory bodies in particular) can access personal data of individuals from outside the US. Up to now, the Privacy Shield served as the main legal basis upon which personal data transfers were made to the US, in line with the General Data Protection Regulation 2016/679 (GDPR).

The judgment is likely to have a significant impact on a large part of Polish companies/groups transferring data to the US. In practice, such transfers are usually made:

  • in large groups of companies using global IT networks which give access to data on the employees of EEA-based companies to the employees of US-based entities or through which IT services are rendered by US entities to other companies within the group;
  • in the context of cloud data storage services (which are frequently offered by US entities);
  • in situations where the Google Analytics tool is used for analysing website traffic. This may involve transfers of data collected using cookies to the US, where Google is seated.

In light of the Judgment, the companies transferring personal data to the US should reconsider whether such transfers are still advisable and if so, whether an alternative legal framework for transferring personal data, compliant with GDPR, should be established. Up to now, such alternative legal framework was considered to be provided by standard contractual clauses adopted in line with Commission Decision 2010/87. Now, as a consequence of the judgment and given the vast powers of US intelligence bodies, contractual clauses do not seem to be an efficient tool for ensuring security of EEA citizens’ personal data being transferred to the US. In the assessment of CJEU, standard contractual clauses should offer sufficient safeguards with respect to the protection of the privacy and rights of individuals against the intervention of business entities, however, they cannot guarantee protection against access of US public authorities. Thus, entities willing to engage in or continue data transfers to the US must establish new oversight mechanisms mitigating the risk that the applied personal data transfer models would be challenged.

Importantly, the Judgment also shows that standard data protection clauses are an insufficient measure of data protection not only in the case of transfers to the US, but also to other non- EEA countries, which do not guarantee data protection equivalent to that provided in EEA. In particular, this applies to countries which so far have not been recognised by the Commission as providing adequate data protection, but where the authorities may access data on individuals.

How can KPMG assist you?

KPMG D.Dobkowski Law Firm supports its clients in the scope of:

  • personal data protection conformity analyses of current and planned transfers of personal data to non-EEA countries;
  • developing solutions mitigating the risk that the applied personal data transfer models will be challenged, including the application of mechanisms provided for by GDPR;
  • support in contacts and possible disputes with supervisory authorities (including the Polish Personal Data Protection Office)

If we can be of assistance, do not hesitate to contact us.