Associate Solicitor in our Corporate team, Richard, explains what the EU-US Privacy Shield invalidation means for our businesses and data protection.
A recent decision of the European Court of Justice has ruled that:
- The EU-US Privacy Shield mechanism for transfers of personal data from the EU (which for the purposes of data protection law includes the UK until the end of the Brexit transition period) is invalid, and
- The European Court approved Standard Contractual Clauses (“SCCs”) for personal data transfers outside of the EU are valid, but require a case by case risk assessment for their use.
This will impact any UK or EU based organisation that transfers personal data to the US. It may also have major implications for UK organisations that wish to transfer personal data to, or from, the EU following the end of the Brexit transition period. Organisations that use SCCs for data transfers generally may also find their ability to do so restricted.
What is the Privacy Shield?
Generally the transfer of personal data from the EU to non EU countries is prohibited under the GDPR, unless appropriate safeguards have been put in place. This helps to ensure that personal data can be adequately protected.
The Privacy Shield is a self-certification regime whereby US organisations agree to hold personal data from the EU to a higher standard than they are required to under US law.
Why was the Privacy Shield ruled to be invalid?
In short, the Court determined that the Privacy Shield did not ensure a level of personal data protection equivalent to that under EU law. A key concern was that US government surveillance practices were not subject to any limitations. Additionally, there was not an effective legal remedy for EU data subjects to challenge any processing for those practices.
As such, organisations should no longer rely on the Privacy Shield as a method of transferring EU personal data to the US.
What are SCCs?
SCCs are one type of safeguard that can be used to ensure adequate protection of any data transferred outside of the EU. They are standard form contract clauses approved by the European Commission, setting out the rights and obligations on data exporters and importers in respect of EU personal data.
Consequences of the decision on SCCs
Whilst the form of the SCCs and their use has been held to be valid in principle, their suitability for any transfer an organisation wishes to make needs to be considered on a case-by-case basis. The decision makes it clear that organisations will be required to demonstrate that the level of protection required by EU law is respected in the country to which they are transferring the EU personal data.
This is likely to be very difficult for most organisations. It will require a detailed understanding of the relevant country’s legal system and how that applies to the specific transfer. In particular, given the Court’s comments on the inadequacy of US law in protecting EU personal data it would seem very difficult (if not impossible) to show that SCCs would be appropriate for transfers to the US. This is, unless it can be shown that the relevant aspects of US surveillance are not relevant to the specific transfer.
The decision did suggest that organisations may be able to implement additional safeguards to help ensure an adequate level of protection for personal data. However, what these might be was not discussed.
Despite concerns raised over the years in respect of the Privacy Shield, the decision was unexpected. The comments on SCCs have significantly undermined the ability of organisations to safely rely on these.
The UK Information Commissioners Office and European Data Protection Board have issued some limited guidance following the judgement. Further guidance is expected swiftly. Organisations should keep up to date with this guidance and contact our data protection team if they have any questions.
Practical Steps and Commentary
This decision has serious implications for transfers of EU personal data to the US. Despite the significant amount of data that flows between the EU and the US, it is highly unlikely that the US will change its surveillance laws to make the Privacy Shield valid, or SCCs a more viable option. It should be assumed that the practical issues of transferring data to the US will not be resolved in the short term.
The reasoning of the decision is also likely to have significant implications for transfers of data between the UK and the EU after the Brexit implementation period. This is because the UK will become a “third country” in respect of EU personal data, much like the US, albeit that our data protection laws are currently equivalent to EU laws.
The decision also calls in to question the ability to rely on SCCs generally.
This is an area that is likely to be subject to uncertainty over the coming weeks and months. At this stage, however, all organisations transferring personal data outside of the UK should be looking at the following:
- Revisit your data flows and data maps to identify what personal data is transferred to the US under the Privacy Shield, who your processors in the US are, and what processing they do.
- Consider whether this processing can be done within the EEA, and ideally within the UK. Whilst this may not be what you want and could be an expensive and time consuming task, difficulties transferring data to the US mean that this will be the safest way to ensure compliance with the GDPR.
- In the meantime, implement SCCs with anyone in the US to whom you transfer data. Ask them for an analysis of how US laws affect the transfer so that you can perform your assessment. Whilst this is not our recommended long term solution, it may afford some protection until you can move data flows away from the US.
- Given that this decision is likely to impact on data transfers to the EU post-Brexit, now would be a good time to look at your data flows and data maps with a view to updating and/or understanding these in the context of any EU transfers that you use. This way, you can move quickly when Brexit related data protection guidance is issued.
- Keep up to date with guidance. The Court’s decision and its implications are still being considered, and guidance is being drip fed onto the ICOs website. You can also contact a member of our data protection team.
- Be prepared to change your processes and procedures quickly as guidance is issued.
Professional Legal Advice on Data Protection
Have you been affected by this new ruling? Whether you are clued up already or would like some guidance on making the initial steps towards contacting places where you store data in the US, we can help.