In July 2020, the Court of Justice of the European Unition declared the Privacy Shield between the European Union (EU) and the U.S. be an inadequate means of privacy protection. This was done on the grounds that the surveillance programs of the U.S. Foreign Intelligence Surveillance Act (FISA) failed to properly safeguard personal data from government interference. The result of this decision was that the Privacy Shield framework was invalidated as a mechanism to comply with EU data protection requirements for businesses that transfer data to the U.S. from the EU. This means that the Privacy Shield no longer in compliance with the European Union’s General Data Protection Regulation (GDPR), so the only means of compliance for data transfer from the EU to the U.S. is through supplemental measures. For businesses that collect, store, and transfer data across the Atlantic and the rest of the world, such compliance through supplemental measures is necessary to effectively transfer data between countries, but it can be difficult to determine which measures are adequate and how to assess such measures in light of a particular transfer.
How does a business collect and store data?
First, it is important to understand how businesses collect and store consumer data. Businesses collect data in a few ways. One way is by directly asking customers for access to their data, usually using cookies as a means for websites to recognize your computer and remember your activity on that website. Another way is by indirectly tracking consumers on their devices, often by using the device’s IP address. Knowing the location of a consumer ensures the most effectively targeted advertisements. Lastly, businesses may look to their customer service records or other sources of consumer data and append it to data on an individual consumer to allow the business to identify patterns of consumer behavior and activity within the bigger picture.
What is the GDPR?
The GDPR is an EU law on privacy and the free movement of personal data created in 2016 and implemented in 2018. Its main goal is to allow EU citizens more control over their personal data and to regulate the processing of personal data from the European Economic Area (EEA) either wholly or partly by automated means.
Due to the high level of protected afforded to personal data in the EU, countries that do business in the EU had to step up their data protection requirements as well. The Privacy Shield Program was created in 2016 by the U.S., Switzerland, and Europe as a mechanism to ensure compliance with the EU’s GDPR data protection requirements when transferring the personal data of EU citizens to the U.S. and Switzerland. This was implemented to bolster transatlantic commerce as a response to the stringent requirements of the GDPR.
How to choose which supplemental measures to implement?
Because the Privacy Shield Program is now dead, the only way to comply with GDPR is by taking supplemental measures to ensure compliance. But what supplemental measures are sufficient? And how does one assess whether a measure will be compliant?
A supplemental measure is basically any type of security measure, whether technical, contractual, or organizational, that seeks to provide privacy protection for a business’s stored data. To measure compliance, the first step is to identify what legal measures are required to transfer data by the country that is to receive the data. Different countries, such as Switzerland and the countries of the EU, have different laws and regulations regarding data transfer, so it is important to ensure that the chosen supplemental measures are compliant with the receiving country. Whatever supplemental measures are chosen must be essentially equivalent to the requirements for data transfers under EU law.
Because data transfer laws may vary between countries, ensuring compliance is essential for an effective data transfer. In the wake of the decision to strike down the Privacy Shield Program, the European Data Protection Board (EDPB) has issued guidance on which supplemental measures are complaint with European data protection regulations (found here beginning on page 28). The recommendations of the EDPB assist data exporters and businesses with compliance in the absence of the Privacy Shield Program or similar EU adequacy decisions on data protection. Examples of supplemental measures can be found here in the EDPB Essential Guarantees recommendations.
How to assess supplemental measures
In deciding which supplemental measures to adopt and whether they will be adequate to protect the data that is to be transferred, the measures must be assessed within context of the particular data transfer that is to take place. Article 46 of the GDPR lists transfer tools that should be assessed for effectiveness in the context of the transfer. If they are not relevant or applicable to the legislation of the receiving country, then an assessment must be done of whether the chosen supplemental measures will be compliant with the laws and regulations of a destination country.
This assessment is typically done through careful consideration of relevant factors surrounding a transfer. One is whether there will be any subsequent onward transfers, in which case an assessment should be made as to how effective a data protection mechanism will be for the time the data is in transit and for when the data reaches its destination country. Another factor is whether the public authorities in the destination country may access the transferred data without knowledge or consent of the importer and consider whether any such laws will apply given the nature of the transferred data. A third factor is whether there is a contractual obligation to use certain measures, such as encryption, pseudonymization, or split processing. 
For more information on supplemental measures or for questions about the compliance with GDPR, visit Revision Legal.