In the recent highly publicized decision Schrems II, the Court of Justice of the European Union (“CJEU”) has invalidated the EU–U.S. Privacy Shield, relied on by many companies transferring data out of the European Union’s comprehensive data protection regime, the GDPR.
What does that mean for Kivu and its clients?
- With secure data centres and in-house forensic analysts in both North America and the EU, Kivu is able to host and analyse all EU data within the borders of the EU. Simply put, Kivu does not transfer or process the Personal Information of EU data subjects outside the EU as part of its business operations.
- In exceptional circumstances, and when responding to a major international cyber incident, Kivu may seek a client’s authority to use EU Standard Contractual Clauses to transfer personal data outside the EU to assist with its investigation. However, such a transfer would never be for the commercial processing of Personal Information of EU data subjects.
With its judgement in case C-311/18 announced on 16 July 2020 regarding Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, the Court of Justice of the European Union has effectively killed off the Privacy Shield agreement between the USA and the EU and Switzerland.
The ruling deemed the protection afforded to European citizens’ data under the agreement as insufficient and non-compliant with the privacy rights afforded to EU data subjects under GDPR.
Privacy Shield was implemented in 2016 in order to enable U.S. companies to process and store EU data subjects’ information on servers located on U.S. territory. This was convenient as many organizations with business operations in the EU did not – and still do not – have servers or data centers within EU borders.
The Court ruled that the U.S. does not grant the same level of protection to individuals’ data as the EU does, and thus any transmission of EU citizens’ data would run counter to GDPR.
While Kivu has been a participant of the Privacy Shield agreement since its launch, we have never relied on transferring personal information as part of our investigations because we have had local capacities in both the U.S. and the EU. Kivu’s operations are unaffected by this ruling as we have secure data centers in the UK and Netherlands, with our EU servers storing the data of all our EU cases in accordance with GDPR law.
We welcome the Court’s ruling as a further step towards data privacy and security, something we take very seriously at Kivu.