Evaluate risk exposure and potential impacts
With no grace period in place, organizations should immediately evaluate their risk exposure, identifying all personal data flows originating from the EU, as well as any data flow that processes EU citizen personal information. They should prioritize flows to the US and other jurisdictions in which the organization operates and that do not have an adequacy decision by the European Commission.
Countries deemed adequate by the European Commission are jurisdictions where personal data can flow from the EU to that country without any further safeguards being necessary.
Once at-risk personal data sets are identified, organizations should evaluate the impact to their business if the EU personal data set was no longer accessible, which may include a material disruption to business operations, degradation to business intelligence analytics and breach of contract. Legal counsel will require this detail to support risk-informed decisioning on actions that may include agreeing to the other mechanisms or additional protections to data exporters with respect to EU personal data.
Shift to transfer mechanisms still valid under GDPR
All organizations that transfer personal data outside the EEA will need to rethink their strategy when it comes to transferring personal data of EEA citizens to non-EEA countries, and to the US in particular. Since approved certifications and codes of conduct are not yet fully operational, and since derogations usually do not apply, this mainly equates to SCCs and Binding Corporate Rules (BCRs).
Depending on features of the local legal system in third countries, transferring entities will need to establish additional safeguards when an equivalent level of protection could not be guaranteed, for example, if access to personal data by public authorities is not balanced according to EU expectations.
Assess SCCs on a case-by-case basis
Organizations relying on SCCs must now assess whether the level of protection is adequate on a case-by-case basis. Relevant considerations for this include, but are not limited to, any additional contractual provisions that may apply and any applicable third-country laws that give the government access to the transferred data.
Notably, BCRs were not addressed as part of the Schrems II decision. BCRs may only be used for intracompany transfers (or transfers between enterprises engaged in a joint economic activity) and must first be approved through a stringent process by multiple data protection authorities.
Organizations also may look to consent, necessity and other derogations outlined under Article 49 of the GDPR that allow for personal data transfers. However, regulatory guidance from the European Data Protection Board has construed these derogations very restrictively, and organizations should approach them with caution.
Transfer of aggregated data
One strategy immediately available to address the sudden loss of data transfers under Privacy Shield is the transfer of aggregated data.
Provided that the fidelity of the aggregated data is determined, many organizations have long utilized the approach of aggregating or de-identifying data so that the ultimate purpose of the data was to study or perform analytics (for example, if an organization transfers financial transactions for the purposes of aggregating them and balancing finances at the end of a business day). This approach avoids the need to use Safe Harbor, Privacy Shield, SCCs or BCRs.