Privacy Shield Solution

18 December 2020

A few months after the disabling of the Privacy Shield framework, we analysed the alternatives being chosen by some of the main online service providers.

18 December 2020

A few months after the disabling of the Privacy Shield framework, we analysed the alternatives being chosen by some of the main online service providers.

International data transfers to the United States are currently generally carried out in accordance with the “Standard Contractual Clauses” (SCC).

As we pointed out in our post of 20 July, the most effective legal tool for international data transfers from the European Union to the United States was repealed on 16 July.

What is an international data transfer?

To summarise as simply as possible, an international transfer of data is the movement of personal data from the European Union to other territories, and vice versa.

Being the Internet giant the most used way nowadays by the users when they want to acquire any product, hire a service or simply get information, the web pages are visited by millions of people daily to satisfy their needs. Through these web pages, a lot of personal data is collected from visitors through cookies or forms.

On many occasions, the owners of these websites need to transfer this data to third countries, either to store it on their servers or to communicate it to a provider, in order to be able to provide the requested service.

Why is an international transfer of data so important for the legislator?

The current European legislation on privacy, faithful to its objective of giving users greater control over their personal data, sees this type of transfer as a risk to achieving this control.

As a result of this risk, the Safe Harbour was cancelled in 2015, and recently its replacement, the Privacy Shield, was also cancelled.

What was the main reason for this annulment?

The European Court of Justice (ECJ) (in its judgment in the “Shrems v. Facebook” case – C-311/18), considers that the United States does not guarantee an adequate level of security for personal data transferred to this territory, since the US Government may access these data on grounds of public interest or public security, without respecting the principle of proportionality, which poses a risk.

The Privacy Shield was the best legal tool for carrying out international data transfers, as it is an instrument that guarantees compliance by the companies that have signed the framework agreement with an adequate level of protection for the rights and privacy of the data subjects.

Once the “Privacy Shield” has been removed, what are the possible solutions, and how are large companies dealing with it?

Following the disappearance of the Safe Harbour, the so-called “Standard Contractual Clauses” (SCC) were introduced as the main solution, the validity of which is currently being questioned by the ECJ. However, their use continues to be correct and sufficient to adequately comply with the minimum requirements in terms of privacy and data security.

In fact, the main Internet service providers continue to be committed to the use of SCCs when making agreements involving international data transfers to the United States, while waiting for the European legislator to shed some light on the complementary measures that should be implemented in this area.

As good examples of the way in which the main Internet service providers operate, we can highlight the following:

– Amazon – AWS: uses SCC, pointing out that clients and users can continue to use the AWS service, with the maximum guarantee of data security, and allowing clients to choose the territory in which they wish their data to be stored.

– Mailchimp: in order to guarantee the greatest possible privacy and security, and in anticipation of the possible repeal of the Privacy Shield, they automatically activated the SCCs, which they continue to use. They claim to have taken a number of measures to ensure that data remains protected when it goes outside the European Union.

– Google: mainly bases its transfers outside the EU, UK and Switzerland on the SCC, and its privacy policy (Terms of Data Processing) is continuously updated.

– Microsoft: has invested in the processes necessary to meet SCC requirements, offering its customers specific guarantees regarding international transfers for Microsoft services.

· Important: the alternatives to the Privacy Shield must be fully complied with without exception, given that the European Data Protection Regulation (EDPS) keeps the toughest penalties for this type of breach, which can reach 20 million euros, or 4% of the total turnover of the previous year.

In short, when personal data is processed, which also includes an international transfer of data, it is advisable to ensure that the recipients of this data have established the appropriate measures to ensure the privacy and protection of such data.

Likewise, in accordance with what we have just pointed out, following the updating of the Spanish Data Protection Agency’s Cookie Guide of July 2020, international data transfers have become the most important point when it comes to updating policies – hand in hand with consent -, given that most websites carry out this type of transfer, as their providers’ servers are located outside the European Union.

In this same sense, it should be remembered that on 31 October last, the period authorised by the AEPD to adapt the Cookies Policy ended, and it is necessary to request the consent of users before installing a cookie, provided that through this cookie international data transfers can be carried out.

In fact, on 26 November 2020, a news item was published informing of the sanction imposed on CARREFOUR for failure to comply with the duty of information to users, including the absence of information on the international transfers of data carried out, with fines of € 2,250,000.

Therefore, it is crucial to ensure that the transfers we make are secure, because both the holders and the recipients of the information adequately comply with the levels of security and privacy, as well as to duly inform in the corresponding Policies on the processing of personal data carried out.

5/5 - (1 vote)

Joaquín Abajo



Leave a Reply

Your email address will not be published. Required fields are marked *

Responsable del tratamiento: HERRERO & ASOCIADOS, S.L.

Finalidad del tratamiento: Publicar su comentario sobre la noticia indicada.

Derechos de los interesados: Puede ejercer los derechos de acceso, rectificación, supresión, oposición, portabilidad y limitación del tratamiento, mediante un escrito, acompañado de copia de documento que le identifique dirigiéndose al correo

Para más información visita nuestra Política de Privacidad.

*Los campos marcados con el asterisco son obligatorios. En caso de no cumplimentarlos no podremos contestar tu consulta.

No Comments