Privacy Shield invalidated: what this means for your data flows to the US
The EU-U.S. Privacy Shield was an agreement between the US Department of Commerce and the European Commission on the exchange of personal data between companies in the EU and the US. The Privacy Shield was in effect on August 1, 2016.
However, on 16 July 2020, the Court of Justice of the European Union (EU) declared the EU-US privacy shield invalid in the Schrems II case. This means that organizations in the EU can no longer pass on personal data to the United States (US) on the basis of the privacy shield.
The General Data Protection Regulation (GDPR) states that personal data may not simply be passed on to persons or organizations located in countries outside the European Economic Area (third countries), such as the US. This is only allowed if the security level for personal data guaranteed by the GDPR is not undermined in those third countries.
Our in-house Governance & Security Consultant, Tom Koonen, has further researched the consequences of the Privacy Shield cancellation. To inform you as well as possible about this, Tom has looked at the impact this may have on our company as well as our customers.
How does IRIS deal with the invalidation?
Tom states that the invalidation of the Privacy Shield has no consequences for IRIS. This because IRIS does not use the EU-U.S. Privacy Shield for processing customer data. Our customer data is either stored and managed on our own systems within the EEA or with a third party located within the EEA.
What impact does the privacy shield invalidation have on iManage customers?
We can state that our iManage customers do not need to take any action to continue to use our services in compliance with European law. The existing contractual obligations already provide customers with overlapping protections under both the SCCs and the Privacy Shield frameworks. The use of the SCCs as a legal mechanism for transfer was not impacted. As for the additional diligence related to such transfers, iManage’s existing contractual obligations (and, to be clear, the way we operate) already include supplementary technical and organizational measures that iManage has in place to mitigate risk, including, but not limited to, applying the same data protection standards across the globe (certified to ISO27701), agreeing to store data in certain geographic regions, enforcing strong access controls, and encrypting all data.
What now?
The European Data Protection Board (EDPB) is examining the practical consequences of the ruling. And what possible next steps could be. At short notice, the EDPB will provide guidance on additional measures that organizations can include in model contracts. In the meantime, feel free to contact Tom if you have any questions concerning the Privacy Shield or have a talk about improving governance and security within your own organization.
Hoe we kunnen helpen
Op IRIS Nederland we nemen informatiebeheer serieus. Informatie is de bron van elke organisatie en vereist daarom intelligente, toekomstbestendige oplossingen die voldoen aan de behoeften van organisaties en hun gebruikers. Die belofte komen we onze klanten al meer dan 20 jaar na. Of je nu een nieuwe document- of een andere informatiebeheeroplossing wilt implementeren: wij hebben de ervaring om je bij zo'n project van begin tot eind te ondersteunen.
Neem contact op met ons als je meer wilt weten over hoe onze oplossingen en diensten kan uw organisatie efficiënter, veiliger en slimmer laten werken.