The legal instrument that used to allow data flow between the United States and the European Union, the Privacy Shield, has been annulled just like its predecessor, the so-called Safe Harbor. This seems to indicate we are facing a problem of incompatibility between two very different systems with different visions on privacy and data protection. 

Today, many companies use hosting and mailing services, cloud software, or electronic hiring processes provided by American companies or companies whose servers are located in the United States. Therefore, it is essential for the Authorities to offer a solution as soon as possible.

While it is true that there are alternatives to the Privacy Shield, the absence of official pronouncements by the EU, as well as by the Supervisory Authorities of the member countries, means that none of them is currently fully adequate. Therefore, the first option would be to wait for a pronouncement from the E.U. with clear instructions for action, but in the event the official solution were to take too long to arrive, other options that would be viable for companies are: (i) to migrate personal data to servers hosted within the European Economic Area (EEA) or, (ii) to change the provider to another one hosting the data within the EEA.

Apart from the above, alternative figures to cover the needs previously covered by the Privacy Shield would be the following:

1. Standard Contractual Clauses (SCC) are an instrument that provides appropriate guarantees for personal data transfer to data controllers established in third countries. Following the CJEU Ruling, these clauses remain valid, but new obligations are added for exporters and importers, as well as greater control by the Supervisory Authorities, which could become an obstacle to their use.

Therefore, current SCC models do not take into account the content of the CJEU Ruling, so it will be a matter of waiting for new ones to replace them. However, until Europe comes up with a solution, this would probably be the most appropriate way to carry out international transfers.

2. Binding Corporate Rules (BCR). These are policies adopted by the Data Controller (or Processor) with the aim of providing guarantees for data transfer to another Data controller or Processor located in a third country.

Unlike SCCs, this instrument would be less suited to the real needs of an SME or a non-multinational company, since this route is aimed at large groups of companies that frequently carry out international data transfers between different countries without an adequate level of protection. Furthermore, its use is conditioned by the approval of the Supervisory Authority, in the case of Spain the Spanish Data Protection Agency (AEPD).

3. Exceptions for specific situations: Where none of the above instruments is available, the GDPR provides a series of exemptions for international transfers, such as explicit data subject consent. These exceptions must be applied on a case-by-case basis and their practical application is very limited. Unfortunately, this very exceptional route would also not be feasible for the normal operation of a company  that needs to host their data on a day-to-day basis. 

This whole situation has many people wondering whether it will be more complicated and costly to achieve adequate data protection from now on. It is difficult to make an assessment on this issue without knowing the opinion of the Supervisory Authorities, but everything indicates that the intentions—at least this is what has been expressed by the EDPB (European Data Protection Board) after the publication of the CJEU Ruling—are aimed at reconstructing a valid framework that will continue to cover data flow between the USA and the EU.

Finally, as a last resort, it could be considered whether companies should stop data processing and data transfer to the United States until the new legal framework is resolved, to avoid the risk of being fined. However, at PONS IP we advise to delve into the alternatives offered by the regulations so that companies are not forced to interrupt their activities.

As for possible sanctions, international data transfers that continue to be carried out under the Privacy Shield framework will no longer be legally valid, and they would constitute a breach in the eyes of the Supervisory Authorities. However, the AEPD takes into account a series of criteria for imposing sanctions, including wilful misconduct and negligence. Therefore, it seems clear that, as we are in such an exceptional situation and are lacking guidance or guidelines from the Data Protection Authorities themselves, the spirit of the AEPD should not be punitive, at least until there is a criterion that can be followed by companies and that offers security to everyone.

For the time being, the EDPB is still working on a solution at European level. Until then, companies that regularly carry out international transfers should take expert advice, both to choose the alternative that best suits their needs, and to know the new obligations they will have to take on board. All this is essential to continue making international transfers without incurring possible sanctions by the authorities.

• September 2020
• Estrella Arana and Paula Barrachina
• PONS IP Data Protection Lawyers