The decision means that Norwegian companies that either themselves or via third parties process personal data in the US (eg by the company providing IT services connected to US IT services), must investigate whether they either directly or indirectly use the Privacy Shield as a processing basis for transfer of personal data from Europe to the United States. In the event that the transfer is based solely on the Privacy Shield and no alternative transfer basis, the company must establish a new basis for the transfer to the United States.
What is Privacy Shield?
The EU-US Privacy Shield was an agreement between the EU and the US to regulate the exchange of personal data between players in the EU and the US. Many IT services depend on partial deliveries, to a greater or lesser extent, originating from American companies. An example of this is Google's development platform Firebase, or Azure which is Microsoft's cloud service.
For all transfers of personal data, there is a requirement to have a valid legal basis. When transferring personal data to third countries, companies are also required to ensure that the third country has an adequate level of protection. In practice, this means that persons in Europe must be guaranteed a corresponding level of protection in third countries, with regard to their personal data. Privacy Shield was precisely this legal basis until 16 July 2020.
Why is the Privacy Shield no longer sufficient?
In the judgment of the European Court of Justice, special emphasis was placed on two aspects. First, the degree of protection afforded by the agreement between the EU exporting company and the US importing company. Secondly, there was the question of: what access do public authorities in the United States have to such information. The court emphasized the lack of US enforcement regarding the Privacy Shield. Furthermore, the US regulations did not restrict US public authorities from accessing personal data with regard to proportionality and reasonableness. There was also a lack of opportunities for European legal entities to apply deviations and sanctions against US companies for breaches of personal data regulations and finally there were shortcomings in the US ombudsman scheme associated with the Privacy Shield when it reported to public authorities and was not considered independent.
Status quo?
Although the Privacy Shield has been invalidated as a legal basis for transfer to the USA, the European Court of Justice states that "Standard data protection clauses" (SCC) can be regarded as a legal basis for transfer to the USA. However, this presupposes that the US company is in a position where this can guarantee the necessary data protection based solely on SCC.
What is the solution for Norwegian companies?
Norwegian companies must now identify whether their own company and its suppliers (incl. Subcontractors) process personal data in the USA. This will involve reviewing the providers listed in the data processor agreement and service providers listed in the privacy policy and cookie policy.
If any of the above processes personal information in the United States, the company must investigate whether the transfer of personal information to the United States is solely based on the Privacy Shield - some providers use several bases. If the latter is the case, it must be identified which other legal basis is used for the transfer.
If the transfer of personal information to the United States is based solely on the Privacy Shield, the company must establish a new basis for the transfer to the United States, such as SCC. If SCC is to be used as a basis for transfer to the USA, requirements are set for risk assessment of whether SCC can be used as a transfer basis after an assessment of both the content of the clause and whether one achieves equivalent privacy protection in the USA as within the EU.
This means more specifically that companies must identify whether the content of the clause, seen in the context of third country data legislation, gives EU citizens the same protection of their personal data in the third country as they do in the EU. The company must carry out such a risk assessment before personal data is processed and before using an information system that processes data outside the EU.