17 July 2020
A decision of the Court of Justice of the European Union has struck down Privacy Shield as an appropriate mechanism for the transfer of personal data from the EU to the US, effectively prohibiting the transfer of data under the Privacy Shield framework (Facebook Ireland and Schrems, C-311/18).
Under the Privacy Shield framework, US businesses and organisations which had signed up to the scheme could lawfully receive personal data from the EU.
The Court found that US law, which allows the sharing of personal data received by US businesses with US authorities (including the National Security Agency), did not afford a similar level of protection of personal data, which is enjoyed by EU citizens. As such, Privacy Shield did not provide an adequate level of protection for those individuals whose data was transferred, and accordingly could not be used as the basis for a transfer to the US.
Businesses transferring personal data to the US from the EU will no doubt be aware that they can only transfer personal data to a third country where strict criteria are met, for example, where the EU has declared that the recipient country offers appropriate protection of personal data (an adequacy decision) or where standard contractual clauses or other appropriate safeguards are in place prior to the transfer.
Many EU organisations rely on Privacy Shield for the lawful transfer of personal data to the US but those who do, must now put alterative measures in place to comply with EU data protection law. Failure to do so, would constitute a breach of data protection law.
As an alternative to Privacy Shield, many organisations will use Standard Contractual Clauses, approved by the EU, as a lawful means of transfer. However, the Court of Justice also ruled that while Standard Contractual Clauses remain lawful for the time being, businesses transferring data must also ensure that the receiving country ensures an adequate level of protection for personal data. This increases the burden on businesses transferring personal data outwith the EU and is likely to result in significantly increased due diligence (and cost) prior to any transfer to a third country.
Of course, this is a decision of the Court of Justice of the EU and the UK’s relationship with EU has changed radically over the last year and will continue to do so as the transition period comes to an end. Nonetheless, the UK has effectively adopted the EU General Data Protection Regulation into domestic law and it is likely that the decision in Schrems will have as profound an effect on UK data controllers as it will for those in the EU, not just for UK to US transfers but also for EU to UK transfers.
It is not yet clear what, if any, period of grace businesses who rely on Privacy Shield and SSCs will have prior to enforcement action by the ICO but those who do rely on these transfer mechanisms should take steps to assess their practices and bring them into line with the new law.
BTO’s Data Protection Team can assist with any queries you have.
Lynn Richmond, Partner, E: firstname.lastname@example.org / T: 0131 222 2934