Guides & Advice
Data Transfers to the US: CJEU kills Privacy Shield and fires salvo at Model Clauses
Data Transfers to the US: CJEU kills Privacy Shield and fires salvo at Model Clauses
UPDATED 23 July 2020 : The ICO has, as of the 23 July 2020, updated their position and have now confirmed that:
If you are currently using Privacy Shield please continue to do so until new guidance becomes available.
Please do not start to use Privacy Shield during this period.
See the ICO website for further details.
So for the time being at least, UK businesses can continue to rely on the Privacy Shield (if they have done so to date). But as stated above this is not the position across Europe and organisations will need to review all US data transfers to ensure that they continue to comply with local interpretations. Through our membership of PrivacyRules we can support business in ensuring data compliance both throughout Europe and globally.
In a far reaching judgment (17 July 2020) the European Court of Justice (CJEU) ruled that the EU/US Privacy Shield (which is one of the mechanisms allowing data transfers from the EU (and the UK both pre and post Brexit) to the US is now invalid.
What is the EU/US privacy Shield?
Under GDPR, if the country in question doesn’t have adequate privacy laws in place (which the US does not), then organisations can only transfer personal data out of the EU under certain, limited, circumstances. One of the mechanisms allowed was the EU/US Privacy shield which allowed US companies to certify that they had appropriate internal protections in place. Currently over 5,500 US business (including Microsoft, Amazon and Facebook) have signed up.
The challenge
In a challenge brought against Facebook’s transferring of personal data to the US from its Irish subsidiary, the CJEU found that the US legal system does not allow individuals appropriate protections against access by US security organisations. And as a result the Privacy Shield was not a valid means of transfer.
But this isn’t the end of the problem. One of the alternative mechanisms in GDPR allowing overseas transfers of personal data are the “Standard Contractual Clauses” (SCCs) which can be agreed between companies to allow the export of personal data from the EU. In theory this works for transfers not just to the US but to any country outside the EU. They impose contractual obligations on the non-EU party to provide appropriate protections for the data.
However, the problem here is that, as the CJEU’s judgment has reminded us, SCCs require the party sending the data out of the EU to suspend such transfers if it becomes apparent that the party receiving the data cannot comply with their provisions. And, given that CJEU has just clearly stated that US laws don’t allow companies to provide adequate protections, it is difficult to see how the SCCs can work in the context of EU/US transfers.
This recent judgment could even challenge the use of SCCs generally If they cannot continue to be used where the laws of the country of the recipient mean that the recipient can’t comply with them, then it begs the question of how they can be used other than in a country which provides adequate protections. The clauses may not be the easy route to transfers previously assumed.
Where do we go from here?
The ICO has issued a short statement saying:
“The ICO is considering the judgment from the European Court of Justice in the Schrems II case and its impact on international data transfers, which are vital for the global economy.”
“We stand ready to support UK organisations and will be working with UK Government and international agencies to ensure that global data flows may continue and that people’s personal data is protected”
So at the moment, UK companies have not been told to stop sending personal data to the US under the Privacy Shield. But this is not the case throughout the EU – the Berlin ICO has issued just such a statement. It will be a little while until the dust settles and a consistent approach across Europe emerges if it indeed does.
But while this is going on organisations need to review urgently the basis on which they transfer personal data to the US and, where this is based on Privacy Shield, to engage with the overseas partner to understand how they are proposing to continue to allow transfers.
Contact us
For further information on this or other issues concerning your data and data security, contact Andrew Hartshorn or another member of the IT and technology team.
We have launched our guide to recovery and resilience, helping to support businesses and individuals unlock their potential, navigate their way out of lockdown and make way for a brighter future. Further advice in relation to COVID-19 can be found on our dedicated coronavirus resource hub.
From inspirational SHMA Talks to informative webinars, we also have lots of educational and entertaining content for life and business. Visit SHMA® ON DEMAND.
Our free legal helpline offers bespoke guidance on a range of subjects, from employment and general business matters through to director’s responsibilities, insolvency, restructuring, funding and disputes. We also have a team of experts on hand for any queries on family and private matters too. Available from 10am-12pm Monday to Friday, call 0800 689 4064.
Related services
SHMA® ON DEMAND
Listen to our SHMA® ON DEMAND content covering a broad range of topics to help support you and your business.
21 Apr
Matt McDonald, Partner
Fire and Re-hire – the controversy and the law
So why is fire and re-hire controversial, and what do employers need to consider […]
22 Apr
Peter Snodgrass, Partner & Head of Agriculture | Jennie Wheildon, Legal Director
Agriculture: Partnership Agreements
This bite size webinar is intended help you firstly identify a partnership and then […]
27 Apr
Louise Drew, Partner & Head of Building Communities
Build to Rent & Retirement Living
Our panel will discuss the differences and synergies between the markets and lessons that […]
29 Apr
Andrew Whitehead, Senior Partner & Head of Energy
AEEC (Association of European Energy Consultants) Spring Conference Decarbonising by 2050
Join us at the AEEC Spring Conference on 29 April 2021 to hear more […]
Our thoughts
All the latest views and insights on current topics.
14 Apr
Education
Government needs to make better decisions for universities and their students
Universities UK letter to the Prime Minister on student returns on 6 April raises […]
12 Apr
Employment
Uber v Aslam: a win for workers
News Uber v Aslam: a win for workers Get in touch Home […]
9 Apr
Corporate & Commercial
Shakespeare Martineau supports multimillion-pound acquisition of financial coaching business
8 Apr
Employment
Are employees with long COVID entitled to compensation?
6 Apr
Employment
Discrimination | Vento bands for injury to feelings awards increase from April 2021
1 Apr
Employment
Five changes to employment law that HR managers need to be aware of from April 2021
How can we help?
Our expert lawyers are ready to help you with a wide range of legal services, use the search below or call us on: 0330 024 0333