Privacy Shield invalidated: what this means for your data flows to the US

The EU-U.S. Privacy Shield was an agreement between the US Department of Commerce and the European Commission on the exchange of personal data between companies in the EU and the US. The Privacy Shield was in effect on August 1, 2016.

However, on 16 July 2020, the Court of Justice of the European Union (EU) declared the EU-US privacy shield invalid in the Schrems II case. This means that organizations in the EU can no longer pass on personal data to the United States (US) on the basis of the privacy shield.

The General Data Protection Regulation (GDPR) states that personal data may not simply be passed on to persons or organizations located in countries outside the European Economic Area (third countries), such as the US. This is only allowed if the security level for personal data guaranteed by the GDPR is not undermined in those third countries.

Our in-house Governance & Security Consultant, Tom Koonen, has further researched the consequences of the Privacy Shield cancellation. To inform you as well as possible about this, Tom has looked at the impact this may have on our company as well as our customers.

How does IRIS deal with the invalidation?

Tom states that the invalidation of the Privacy Shield has no consequences for IRIS. This because IRIS does not use the EU-U.S. Privacy Shield for processing customer data. Our customer data is either stored and managed on our own systems within the EEA or with a third party located within the EEA.

What impact does the privacy shield invalidation have on iManage customers?

We can state that our iManage customers do not need to take any action to continue to use our services in compliance with European law. The existing contractual obligations already provide customers with overlapping protections under both the SCCs and the Privacy Shield frameworks. The use of the SCCs as a legal mechanism for transfer was not impacted. As for the additional diligence related to such transfers, iManage’s existing contractual obligations (and, to be clear, the way we operate) already include supplementary technical and organizational measures that iManage has in place to mitigate risk, including, but not limited to, applying the same data protection standards across the globe (certified to ISO27701), agreeing to store data in certain geographic regions, enforcing strong access controls, and encrypting all data.

What now?

The European Data Protection Board (EDPB) is examining the practical consequences of the ruling. And what possible next steps could be. At short notice, the EDPB will provide guidance on additional measures that organizations can include in model contracts. In the meantime, feel free to contact Tom if you have any questions concerning the Privacy Shield or have a talk about improving governance and security within your own organization.

How we can help

At IRIS Nederland we take information management seriously. Information is the source of every organization and therefor requires intelligent, future-proof solutions which meet the needs of organizations and their users. We keep that promise to our customers for over 20 years now. Whether you are looking to implement a new document- or any other information management solution: we have the experience to support you with such a project from start to finish.

Get in touch with us if you want to know more how our solutions and services can make your organization work more efficient, secure and smarter.

About the author

Rachelle Beugels
Rachelle BeugelsInside Sales