Recently, the European Court of Justice overturned the EU-US Privacy Shield. This judgement has significant consequences for digital health companies.
UPDATE
Since this ruling, the German BfArM has clarified that digital health apps cannot receive DVG approval if they use US cloud providers. Read more here.
July 2020 saw the ECJ (European Court of Justice) strike down the EU-US Privacy Shield. This agreement provided an easy mechanism for EU companies to transfer or process personal data in the US. However, the ECJ was concerned that US Government agencies could access the personal data with no safeguards.
This decision has a particularly strong impact on SMEs, including digital health startups. Importantly, it affects to anyone exporting data to a non-EU country, not just the US. The court has now released guidance on the implications of the judgement, and we have been analysing how this affects our customers.
What was Privacy Shield?
The GDPR imposes strict rules on transferring and processing personal data outside the EU. In general, any external country must pass certain tests in order to be granted an adequacy decision.
The EU-US Privacy Shield provided a mechanism to comply with data protection requirements when transferring personal data from the EU to the US. In other words, it underpinned the adequacy decision for data transfers to the US.
What actually happened?
On 16th July 2020, the ECJ declared that Privacy Shield was no longer valid. Moreover, this decision was immediately binding and also sets a new minimum level of compliance for all data transfers. So, as of that date, any data transfers that were relying on the Privacy Shield are invalid and all data transfers need to be reevaluated.
This impacts transfers of European Citizens’ data to locations outside of the EU. Unfortunately however, complying isn't as simple as ensuring the data is stored in the EU, since even accessing the data from the US could potentially be interpreted as "processing".
For now, the only valid mechanisms for transferring data from the EU to the US are with the use of so-called Standard Contractual Clauses or through article 49 derogations.
What are Standard Contractual Clauses?
Standard Contractual Clauses are themselves under close scrutiny from the ECJ, so we may see rules tightening even further. In the worst case, Standard Contractual Clauses may also be invalidated by the ECJ. The EDPB (European data protection board) is already looking into what additional measures might be needed in addition to in the Standard Contractual Clauses. So, there is a very good chance additional requirements relating to technical and organisational measures will be added to the Standard Contractual Clauses.
And Article 49 Derogations?
Article 49 Derogations are specific exceptions included within GDPR Article 49 allowing data transfers even when an adequacy decision is not in place. In general, this relates to data transfers that are essential in order to fulfil a contract. However, this a complicated legal area, and you should speak to an expert before relying on this. Importantly, Article 49 Derogations require explicit and detailed consent from the data subject. Also, the EDPB highlights that "the derogations of Article 49 should never lead to a situation where fundamental rights might be breached."
What are the implications for your business?
Clearly, this is big news for many companies, especially those handling sensitive data, such as in the digital health field.
You must use Standard Contractual Clauses
You will now have to use Standard Contractual Clauses in your contracts if you were previously relying on Privacy Shield to transfer data to the US. Or you must immediately stop transferring the data.
You need to ensure you are compliant with GDPR
Standard Contractual Clauses require you to ensure complete compliance with GDPR. They aren't just something you say you do on paper. This means you need to have a system that implements privacy by default and by design.
You need to review all your data transfers
In their commentary, the ECJ explains that you must immediately review all your data transfers to 3rd countries, not just the US. The judgement sets a minimum standard that must be met by any data transfer mechanism.
Conclusions
The ECJ judgement did more than end Privacy Shield. It also has significant implications for all data transfers outside of the EU. With the impending end of the Brexit transition period, this is going to be big news for many companies. In our view, compliance requirements are going to be tightened as a result of the review process. We expect that they will require additional technical measures—something we can also help you with.
Are you worried how this will impact your business? Book a call for advice on how this affects you and for assistance with mitigating the risks.
