EU-US Privacy Shield invalid
On 16 July 2020, the Court of Justice of the European Union declared the EU-US Privacy Shield agreements invalid. As a result, a complex situation has arisen when it comes to exchanging personal data to the US and to other countries with which the EU does not have valid personal data protection agreements. Any transfer of personal data of EU citizens to the United States under the Privacy Shield is no longer lawful. This has acute consequences for existing contractual agreements and procurement processes that make use of the Privacy Shield.
Standard contractual clauses do not solve the problems
With the abolition of the Privacy Shield, organisations must fall back on other instruments for the transfer of personal data, such as the so-called Standard Contractual Clauses (SCCs). However, the use of SCCs is problematic. In its ruling, the Court indicated that SCCs may only be used if an 'equivalent level of protection' can be guaranteed in practice. The impact of the ruling is not limited to the US, but also affects the exchange of data with countries outside the EEA.
Working together on recommendations for the safe exchange of personal data
Within the SURF Taskforce Beyond Privacy Shield, the education and research sector is working together to determine how we can best deal with this situation. We are jointly working on recommendations and best practices for the safe international exchange of personal data and alternatives to the EU-US Privacy Shield. SURF and its members can use these recommendations and best practices within their own organisations.
We have already produced (and are preparing) the following:
- A roadmap to account for data transfers to the US, which includes:
- A guide "Inventory data transfers to the US" (PDF, in Dutch)
- 18 use cases use cases in which the invalidation of the EU-US Privacy Shield has consequences for the legitimacy of the data transfer. Including root cause analysis and mitigating measures
Members of the SURF Taskforce Beyond Privacy Shield
The SURF Taskforce Beyond Privacy Shield consists of 15 experts from all sectors of education and research: secondary schools, universities of applied sciences, universities of applied sciences and research institutions
|Marlon Domingus (chair)||Erasmus University Rotterdam|
|Agnieszka Buursma||University of Applied Sciences NHL Stenden|
|Annemarie Arnaud de Calavon||Alfa-college|
|Boudien Sieperda||University Medical Center Groningen|
|Ingeborg ten Oever||Breda University of Applied Sciences|
|Henk van Wijk||Radboud University|
|Jan van Alphen||University Medical Center Utrecht|
|Joëlle Versluis||Royal Netherlands Academy of Arts and Sciences|
|Moswa Herregodts||Tilburg University|
|P. Vermeijs||MBO Raad|
|Remy van den Boom||TNO|
|Wesley Cornelissen||HAN University of Applied Sciences|
|Wim Snippe||University of Applied Sciences Windesheim|
|Henk Swaters||University of Twente|
The Taskforce also includes these representatives from SURF:
- Bas Dittner, project manager and SURF Legal Counsel Procurement & Contracting
- Niels Huijbregts, SURF Data Protection Officer
- Samantha van den Hoek, process organisation
The Taskforce works together in a number of working groups, on the following assignments:
- Creating a guidance for
- inventorying existing transfers of personal data to the US, based on the 'EU-US Privacy Shield'
- ensuring the organization's full and actual insight into the transfers of personal data to the US
- Identifying use cases in which action from the institution is required due to the invalidity of the Privacy Shield.
- Making a substantiated analysis, per use case, of the underlying legal issues, and the associated mitigating legal, technical and organizational measures.
- Making general disclaimer, applicable to guidelines, stating that the institution is advised, but remains responsible.
- Making a glossary of terms and bibliography (relevant and in-depth literature).
Initial advice for procurement teams
Prior to setting up the Taskforce Beyond Privacy Shield, SURF issued an advisory report. This report contains practical recommendations for purchasing teams at institutions regarding current contracts and purchasing processes that involve, or may involve, the transfer of personal data to the United States.
After the publication of this advisory report, the European Data Protection Board (EDPB) drew up recommendations for the transfer of personal data to third countries (countries outside the EU). These have not yet been incorporated into the document. The Taskforce will update the document and further elaborate.
- Read the advisory report 'Invalidation of the EU-US Privacy Shield and consequences for contracts and procurement procedures' (PDF, in Dutch)
Would you like to know more about the activities of the SURF Taskforce Beyond Privacy Shield? Please contact Samantha van den Hoek, or by phone +31 6 28 50 32 17.