SURF Taskforce Beyond Privacy Shield

The European Court of Justice has declared the EU-US Privacy Shield invalid. This has major consequences for the use of services by SURF and its members. Only by working together we can make progress in this complex subject. We do this within the Taskforce Beyond Privacy Shield. Please read below what the Taskforce does and how we go about it.

studente kijkt op haar laptop

EU-US Privacy Shield invalid

On 16 July 2020, the Court of Justice of the European Union declared the EU-US Privacy Shield agreements invalid. As a result, a complex situation has arisen when it comes to exchanging personal data to the US and to other countries with which the EU does not have valid personal data protection agreements. Any transfer of personal data of EU citizens to the United States under the Privacy Shield is no longer lawful. This has acute consequences for existing contractual agreements and procurement processes that make use of the Privacy Shield.

Standard contractual clauses do not solve the problems

With the abolition of the Privacy Shield, organisations must fall back on other instruments for the transfer of personal data, such as the so-called Standard Contractual Clauses (SCCs). However, the use of SCCs is problematic. In its ruling, the Court indicated that SCCs may only be used if an 'equivalent level of protection' can be guaranteed in practice. The impact of the ruling is not limited to the US, but also affects the exchange of data with countries outside the EEA.

Working together on recommendations for the safe exchange of personal data

Within the SURF Taskforce Beyond Privacy Shield, the education and research sector is working together to determine how we can best deal with this situation. We are jointly working on recommendations and best practices for the safe international exchange of personal data and alternatives to the EU-US Privacy Shield. SURF and its members can use these recommendations and best practices within their own organisations.

Resources

We have already produced (and are preparing) the following:

Members of the SURF Taskforce Beyond Privacy Shield

The SURF Taskforce Beyond Privacy Shield consists of 15 experts from all sectors of education and research: secondary schools, universities of applied sciences, universities of applied sciences and research institutions

View the members of the SURF Taskforce Beyond Privacy Shield
Marlon Domingus (chair) Erasmus University Rotterdam
Agnieszka Buursma University of Applied Sciences NHL Stenden
Annemarie Arnaud de Calavon Alfa-college
Boudien Sieperda University Medical Center Groningen
Ingeborg ten Oever Breda University of Applied Sciences
Henk van Wijk Radboud University
Jan van Alphen University Medical Center Utrecht
Joëlle Versluis Royal Netherlands Academy of Arts and Sciences
Moswa Herregodts Tilburg University
P. Vermeijs MBO Raad
Remy van den Boom TNO
Wesley Cornelissen HAN University of Applied Sciences
Wim Snippe University of Applied Sciences Windesheim
Henk Swaters University of Twente

The Taskforce also includes these representatives from SURF:

  • Bas Dittner, project manager and SURF Legal Counsel Procurement & Contracting
  • Niels Huijbregts, SURF Data Protection Officer
  • Floor Lucas, process organisation

Working groups

The Taskforce works together in a number of working groups, on the following assignments:

  1. Creating a guidance for
    • inventorying existing transfers of personal data to the US, based on the 'EU-US Privacy Shield'
    • ensuring the organization's full and actual insight into the transfers of personal data to the US
  2. Identifying use cases in which action from the institution is required due to the invalidity of the Privacy Shield.
  3. Making a substantiated analysis, per use case, of the underlying legal issues, and the associated mitigating legal, technical and organizational measures.
  4. Making  general disclaimer, applicable to guidelines, stating that the institution is advised, but remains responsible.
  5. Making a glossary of terms and bibliography (relevant and in-depth literature).

Initial advice for procurement teams

Prior to setting up the Taskforce Beyond Privacy Shield, SURF issued an advisory report. This report contains practical recommendations for purchasing teams at institutions regarding current contracts and purchasing processes that involve, or may involve, the transfer of personal data to the United States.

After the publication of this advisory report, the European Data Protection Board (EDPB) drew up recommendations for the transfer of personal data to third countries (countries outside the EU). These have not yet been incorporated into the document. The Taskforce will update the document and further elaborate.

More information

Would you like to know more about the activities of the SURF Taskforce Beyond Privacy Shield? Please contact Floor Lucas at floor.lucas@surf.nl or +31 6 14 33 09 87.