Guides & Advice

Data Transfers to the US: CJEU kills Privacy Shield and fires salvo at Model Clauses

Published: 22nd July 2020
Area: Corporate & Commercial

Data Transfers to the US: CJEU kills Privacy Shield and fires salvo at Model Clauses

UPDATED 23 July 2020 : The ICO has, as of the 23 July 2020, updated their position and have now confirmed that:

If you are currently using Privacy Shield please continue to do so until new guidance becomes available.

Please do not start to use Privacy Shield during this period.

See the ICO website for further details.

So for the time being at least, UK businesses can continue to rely on the Privacy Shield (if they have done so to date). But as stated above this is not the position across Europe and organisations will need to review all US data transfers to ensure that they continue to comply with local interpretations. Through our membership of PrivacyRules we can support business in ensuring data compliance both throughout Europe and globally.

In a far reaching judgment (17 July 2020) the European Court of Justice (CJEU) ruled that the EU/US Privacy Shield (which is one of the mechanisms allowing data transfers from the EU (and the UK both pre and post Brexit) to the US is now invalid.

What is the EU/US privacy Shield?

Under GDPR, if the country in question doesn’t have adequate privacy laws in place (which the US does not), then organisations can only transfer personal data out of the EU under certain, limited, circumstances.  One of the mechanisms allowed was the EU/US Privacy shield which allowed US companies to certify that they had appropriate internal protections in place.  Currently over 5,500 US business (including Microsoft, Amazon and Facebook) have signed up.

The challenge

In a challenge brought against Facebook’s transferring of personal data to the US from its Irish subsidiary, the CJEU found that the US legal system does not allow individuals appropriate protections against access by US security organisations.  And as a result the Privacy Shield was not a valid means of transfer.

But this isn’t the end of the problem.  One of the alternative mechanisms in GDPR allowing overseas transfers of personal data are the “Standard Contractual Clauses” (SCCs) which can be agreed between companies to allow the export of personal data from the EU.  In theory this works for transfers not just to the US but to any country outside the EU.  They impose contractual obligations on the non-EU party to provide appropriate protections for the data.

However, the problem here is that, as the CJEU’s judgment has reminded us, SCCs require the party sending the data out of the EU to suspend such transfers if it becomes apparent that the party receiving the data cannot comply with their provisions.  And, given that CJEU has just clearly stated that US laws don’t allow companies to provide adequate protections, it is difficult to see how the SCCs can work in the context of EU/US transfers.

This recent judgment could even challenge the use of SCCs generally  If they cannot continue to be used where the laws of the country of the recipient mean that the recipient can’t comply with them, then it begs the question of how they can be used other than in a country which provides adequate protections.  The clauses may not be the easy route to transfers previously assumed.

Where do we go from here?

The ICO has issued a short statement saying:

“The ICO is considering the judgment from the European Court of Justice in the Schrems II case and its impact on international data transfers, which are vital for the global economy.”

“We stand ready to support UK organisations and will be working with UK Government and international agencies to ensure that global data flows may continue and that people’s personal data is protected”

So at the moment, UK companies have not been told to stop sending personal data to the US under the Privacy Shield.  But this is not the case throughout the EU – the Berlin ICO has issued just such a statement.  It will be a little while until the dust settles and a consistent approach across Europe emerges if it indeed does.

But while this is going on organisations need to review urgently the basis on which they transfer personal data to the US and, where this is based on Privacy Shield, to engage with the overseas partner to understand how they are proposing to continue to allow transfers.

Contact us
For further information on this or other issues concerning your data and data security, contact Andrew Hartshorn or another member of the IT and technology team.

We have launched our guide to recovery and resilience, helping to support businesses and individuals unlock their potential, navigate their way out of lockdown and make way for a brighter future. Further advice in relation to COVID-19 can be found on our dedicated coronavirus resource hub.

From inspirational SHMA Talks to informative webinars, we also have lots of educational and entertaining content for life and business. Visit SHMA® ON DEMAND.

Our free legal helpline offers bespoke guidance on a range of subjects, from employment and general business matters through to director’s responsibilities, insolvency, restructuring, funding and disputes. We also have a team of experts on hand for any queries on family and private matters too. Available from 10am-12pm Monday to Friday, call 0800 689 4064.

SHMA® ON DEMAND

Listen to our SHMA® ON DEMAND content covering a broad range of topics to help support you and your business.

Agriculture: diversifying or leasing your land to create habitat banks

6 Jul

Peter Snodgrass, Partner & Head of Agriculture
Agriculture: diversifying or leasing your land to create habitat banks

We know that biodiversity net gains provide a significant opportunity for landowners to diversify […]

Misconduct outside the workplace and business disrepute

8 Sep

Michael Hibbs, Partner
Misconduct outside the workplace and business disrepute

In this webinar, Mike Hibbs – Partner and Robin Gronbech - Solicitor in our […]

Our thoughts

All the latest views and insights on current topics.

Employment Contracts Vs Consultancy Agreements

27 Jun

Employment Contracts

Employment Contracts Vs Consultancy Agreements

Employment Contracts Vs Consultancy Agreements - The Pros & Cons Employment Guides & Advice Get In […]

Read article Right Arrow

Shakespeare Martineau appoints expert director to company secretary team

20 Jun

Corporate & Commercial

Shakespeare Martineau appoints expert director to company secretary team

Shakespeare Martineau has appointed a new director to help grow and enhance the reputation […]

Read article Right Arrow

Spring 2022 Consumer Finance Update

17 Jun

For the individual

Spring 2022 Consumer Finance Update

Read article Right Arrow

Helping employees keep their cool in a heatwave

17 Jun

Employment

Helping employees keep their cool in a heatwave

Read article Right Arrow

We win top intellectual property award

16 Jun

Firm News

We win top intellectual property award

Read article Right Arrow

Lovely jubbly – English Courts provide guidance on when an intended parody becomes copyright infringement

14 Jun

Corporate & Commercial

Lovely jubbly – English Courts provide guidance on when an intended parody becomes copyright infringement

Read article Right Arrow

Keeping Children Safe in Education – updated for September 2022

25 May

Corporate & Commercial

Keeping Children Safe in Education – updated for September 2022

Read article Right Arrow

How can we help?

Our expert lawyers are ready to help you with a wide range of legal services, use the search below or call us on: 0330 024 0333