Guides & Advice

Data Transfers to the US: CJEU kills Privacy Shield and fires salvo at Model Clauses

Published: 22nd July 2020
Area: Corporate & Commercial

Data Transfers to the US: CJEU kills Privacy Shield and fires salvo at Model Clauses

UPDATED 23 July 2020 : The ICO has, as of the 23 July 2020, updated their position and have now confirmed that:

If you are currently using Privacy Shield please continue to do so until new guidance becomes available.

Please do not start to use Privacy Shield during this period.

See the ICO website for further details.

So for the time being at least, UK businesses can continue to rely on the Privacy Shield (if they have done so to date). But as stated above this is not the position across Europe and organisations will need to review all US data transfers to ensure that they continue to comply with local interpretations. Through our membership of PrivacyRules we can support business in ensuring data compliance both throughout Europe and globally.

In a far reaching judgment (17 July 2020) the European Court of Justice (CJEU) ruled that the EU/US Privacy Shield (which is one of the mechanisms allowing data transfers from the EU (and the UK both pre and post Brexit) to the US is now invalid.

What is the EU/US privacy Shield?

Under GDPR, if the country in question doesn’t have adequate privacy laws in place (which the US does not), then organisations can only transfer personal data out of the EU under certain, limited, circumstances.  One of the mechanisms allowed was the EU/US Privacy shield which allowed US companies to certify that they had appropriate internal protections in place.  Currently over 5,500 US business (including Microsoft, Amazon and Facebook) have signed up.

The challenge

In a challenge brought against Facebook’s transferring of personal data to the US from its Irish subsidiary, the CJEU found that the US legal system does not allow individuals appropriate protections against access by US security organisations.  And as a result the Privacy Shield was not a valid means of transfer.

But this isn’t the end of the problem.  One of the alternative mechanisms in GDPR allowing overseas transfers of personal data are the “Standard Contractual Clauses” (SCCs) which can be agreed between companies to allow the export of personal data from the EU.  In theory this works for transfers not just to the US but to any country outside the EU.  They impose contractual obligations on the non-EU party to provide appropriate protections for the data.

However, the problem here is that, as the CJEU’s judgment has reminded us, SCCs require the party sending the data out of the EU to suspend such transfers if it becomes apparent that the party receiving the data cannot comply with their provisions.  And, given that CJEU has just clearly stated that US laws don’t allow companies to provide adequate protections, it is difficult to see how the SCCs can work in the context of EU/US transfers.

This recent judgment could even challenge the use of SCCs generally  If they cannot continue to be used where the laws of the country of the recipient mean that the recipient can’t comply with them, then it begs the question of how they can be used other than in a country which provides adequate protections.  The clauses may not be the easy route to transfers previously assumed.

Where do we go from here?

The ICO has issued a short statement saying:

“The ICO is considering the judgment from the European Court of Justice in the Schrems II case and its impact on international data transfers, which are vital for the global economy.”

“We stand ready to support UK organisations and will be working with UK Government and international agencies to ensure that global data flows may continue and that people’s personal data is protected”

So at the moment, UK companies have not been told to stop sending personal data to the US under the Privacy Shield.  But this is not the case throughout the EU – the Berlin ICO has issued just such a statement.  It will be a little while until the dust settles and a consistent approach across Europe emerges if it indeed does.

But while this is going on organisations need to review urgently the basis on which they transfer personal data to the US and, where this is based on Privacy Shield, to engage with the overseas partner to understand how they are proposing to continue to allow transfers.

Contact us
For further information on this or other issues concerning your data and data security, contact Andrew Hartshorn or another member of the IT and technology team.

We have launched our guide to recovery and resilience, helping to support businesses and individuals unlock their potential, navigate their way out of lockdown and make way for a brighter future. Further advice in relation to COVID-19 can be found on our dedicated coronavirus resource hub.

From inspirational SHMA Talks to informative webinars, we also have lots of educational and entertaining content for life and business. Visit SHMA® ON DEMAND.

Our free legal helpline offers bespoke guidance on a range of subjects, from employment and general business matters through to director’s responsibilities, insolvency, restructuring, funding and disputes. We also have a team of experts on hand for any queries on family and private matters too. Available from 10am-12pm Monday to Friday, call 0800 689 4064.

SHMA® ON DEMAND

Listen to our SHMA® ON DEMAND content covering a broad range of topics to help support you and your business.

Fire and Re-hire – the controversy and the law

21 Apr

Matt McDonald, Partner
Fire and Re-hire – the controversy and the law

So why is fire and re-hire controversial, and what do employers need to consider […]

Agriculture: Partnership Agreements

22 Apr

Peter Snodgrass, Partner & Head of Agriculture | Jennie Wheildon, Legal Director
Agriculture: Partnership Agreements

This bite size webinar is intended help you firstly identify a partnership and then […]

Build to Rent & Retirement Living

27 Apr

Louise Drew, Partner & Head of Building Communities
Build to Rent & Retirement Living

Our panel will discuss the differences and synergies between the markets and lessons that […]

AEEC (Association of European Energy Consultants) Spring Conference Decarbonising by 2050

29 Apr

Andrew Whitehead, Senior Partner & Head of Energy
AEEC (Association of European Energy Consultants) Spring Conference Decarbonising by 2050

Join us at the AEEC Spring Conference on 29 April 2021 to hear more […]

Our thoughts

All the latest views and insights on current topics.

Government needs to make better decisions for universities and their students

14 Apr

Education

Government needs to make better decisions for universities and their students

Universities UK letter to the Prime Minister on student returns on 6 April raises […]

Read article Right Arrow

Uber v Aslam: a win for workers

12 Apr

Employment

Uber v Aslam: a win for workers

News Uber v Aslam: a win for workers Get in touch Home […]

Read article Right Arrow

What are the true costs of redundancy?

9 Apr

Employment

What are the true costs of redundancy?

Read article Right Arrow

Shakespeare Martineau supports multimillion-pound acquisition of financial coaching business

9 Apr

Corporate & Commercial

Shakespeare Martineau supports multimillion-pound acquisition of financial coaching business

Read article Right Arrow

Are employees with long COVID entitled to compensation?

8 Apr

Employment

Are employees with long COVID entitled to compensation?

Read article Right Arrow

Discrimination | Vento bands for injury to feelings awards increase from April 2021

6 Apr

Employment

Discrimination | Vento bands for injury to feelings awards increase from April 2021

Read article Right Arrow

Five changes to employment law that HR managers need to be aware of from April 2021

1 Apr

Employment

Five changes to employment law that HR managers need to be aware of from April 2021

Read article Right Arrow

How can we help?

Our expert lawyers are ready to help you with a wide range of legal services, use the search below or call us on: 0330 024 0333