Data Transfers to the US: CJEU kills Privacy Shield and fires salvo at Model Clauses

Data Transfers to the US: CJEU kills Privacy Shield and fires salvo at Model Clauses

UPDATED 23 July 2020 : The ICO has, as of the 23 July 2020, updated their position and have now confirmed that:

If you are currently using Privacy Shield please continue to do so until new guidance becomes available.

Please do not start to use Privacy Shield during this period.

See the ICO website for further details.

So for the time being at least, UK businesses can continue to rely on the Privacy Shield (if they have done so to date). But as stated above this is not the position across Europe and organisations will need to review all US data transfers to ensure that they continue to comply with local interpretations. Through our membership of PrivacyRules we can support business in ensuring data compliance both throughout Europe and globally.

In a far reaching judgment (17 July 2020) the European Court of Justice (CJEU) ruled that the EU/US Privacy Shield (which is one of the mechanisms allowing data transfers from the EU (and the UK both pre and post Brexit) to the US is now invalid.

What is the EU/US privacy Shield?

Under GDPR, if the country in question doesn’t have adequate privacy laws in place (which the US does not), then organisations can only transfer personal data out of the EU under certain, limited, circumstances.  One of the mechanisms allowed was the EU/US Privacy shield which allowed US companies to certify that they had appropriate internal protections in place.  Currently over 5,500 US business (including Microsoft, Amazon and Facebook) have signed up.

The challenge

In a challenge brought against Facebook’s transferring of personal data to the US from its Irish subsidiary, the CJEU found that the US legal system does not allow individuals appropriate protections against access by US security organisations.  And as a result the Privacy Shield was not a valid means of transfer.

But this isn’t the end of the problem.  One of the alternative mechanisms in GDPR allowing overseas transfers of personal data are the “Standard Contractual Clauses” (SCCs) which can be agreed between companies to allow the export of personal data from the EU.  In theory this works for transfers not just to the US but to any country outside the EU.  They impose contractual obligations on the non-EU party to provide appropriate protections for the data.

However, the problem here is that, as the CJEU’s judgment has reminded us, SCCs require the party sending the data out of the EU to suspend such transfers if it becomes apparent that the party receiving the data cannot comply with their provisions.  And, given that CJEU has just clearly stated that US laws don’t allow companies to provide adequate protections, it is difficult to see how the SCCs can work in the context of EU/US transfers.

This recent judgment could even challenge the use of SCCs generally  If they cannot continue to be used where the laws of the country of the recipient mean that the recipient can’t comply with them, then it begs the question of how they can be used other than in a country which provides adequate protections.  The clauses may not be the easy route to transfers previously assumed.

Where do we go from here?

The ICO has issued a short statement saying:

“The ICO is considering the judgment from the European Court of Justice in the Schrems II case and its impact on international data transfers, which are vital for the global economy.”

“We stand ready to support UK organisations and will be working with UK Government and international agencies to ensure that global data flows may continue and that people’s personal data is protected”

So at the moment, UK companies have not been told to stop sending personal data to the US under the Privacy Shield.  But this is not the case throughout the EU – the Berlin ICO has issued just such a statement.  It will be a little while until the dust settles and a consistent approach across Europe emerges if it indeed does.

But while this is going on organisations need to review urgently the basis on which they transfer personal data to the US and, where this is based on Privacy Shield, to engage with the overseas partner to understand how they are proposing to continue to allow transfers.

Contact us
For further information on this or other issues concerning your data and data security, contact Andrew Hartshorn or another member of the IT and technology team.

We have launched our guide to recovery and resilience, helping to support businesses and individuals unlock their potential, navigate their way out of lockdown and make way for a brighter future. Further advice in relation to COVID-19 can be found on our dedicated coronavirus resource hub.

From inspirational SHMA Talks to informative webinars, we also have lots of educational and entertaining content for life and business. Visit SHMA® ON DEMAND.

Our free legal helpline offers bespoke guidance on a range of subjects, from employment and general business matters through to director’s responsibilities, insolvency, restructuring, funding and disputes. We also have a team of experts on hand for any queries on family and private matters too. Available from 10am-12pm Monday to Friday, call 0800 689 4064.