The End of Privacy Shield
Key Contact: Rem Noormohamed
Author: Lowri Morgan-Macdonald
On 16 July 2020, the European Court of Justice (ECJ) ruled that the EU-U.S. Privacy Shield (Privacy Shield) is no longer a valid mechanism for lawfully transferring personal data outside the European Economic Area (EEA) under the General Data Protection Regulation (the GDPR). This means that if you are a UK or EU based organisation who has historically relied on Privacy Shield in order to lawfully transfer personal data to the U.S., you will need to find an alternative way of doing so. What’s more, you will need to do so quickly as there is no grace or transition period during which you can continue transferring personal data to the U.S. in reliance on Privacy Shield.
1. What is Privacy Shield?
To understand the importance of this decision, we need to take a step back and look at the purpose of Privacy Shield. Under the GDPR, personal data can only be transferred outside the EEA where the rights of individuals are adequately protected, or any of the limited exceptions apply.
These protections include transfers that are covered by an adequacy decision. The European Commission (Commission) has made what are known as ‘adequacy decisions’ in respect of a number of countries and territories including New Zealand, Switzerland and Argentina. This means that the Commission considers that the legal framework in place in such countries provides adequate protection for the personal data of individuals.
The Commission has also made partial findings of adequacy in respect of Japan, Canada and the U.S. This is where the Privacy Shield comes in – any transfers of personal data covered by the Privacy Shield framework previously came within this partial adequacy finding and were therefore permitted. The Privacy Shield framework required U.S. companies to be certified by US Government departments who maintained a list of certified organisations.
However, in the judgment of the ECJ (in the case known as Schrems II ), the court essentially found that the requirements of U.S. domestic law do not provide adequate protection to personal data equivalent to that afforded under the GDPR. Accordingly, it declared the Privacy Shield framework invalid with immediate effect.
2. How else can you lawfully transfer personal data to the U.S. following this decision?
(a) Appropriate Safeguards
Under the GDPR, you can transfer personal data outside the EEA where it is covered by appropriate safeguards. Such safeguards include (amongst others):
(1) Standard contractual clauses (SCCs) – you can make a transfer to an organisation in the U.S. where you have entered into appropriate SCCs adopted by the European Commission with such organisation. There are different sets of SCCs which can be used for controller to controller transfers and controller to processor transfers and they must be used in their entirety without amendment in order to be effective. The SCCs place obligations on the data exporter and importer and also set out rights for the individuals whose data is transferred.
(2) Binding corporate rules – these permit a restricted transfer to be made if both you and the transferee have signed up to an internal code of conduct known as binding corporate rules (BCRs). This is therefore only appropriate for a corporate group or group of undertakings engaged in a joint economic activity such as a joint venture. However, the process for setting up BCRs can be quite lengthy and complex as BCRs must be submitted to an EEA supervisory authority such as the ICO for approval. As a result, BCRs seem to be rarely used by UK organisations, as illustrated on the ICO’s website where it states that it has only approved BCRs for one entity!
However, in light of the decision in Schrems II, even if you are looking to rely on the SCCs or BCRs in order to transfer personal data to the U.S., you will still need to carry out a risk assessment as to whether the SCCs provide enough protection within the local legal framework in the U.S. for the personal data being transferred.
If you find that you cannot rely on any of the appropriate safeguards, including those set out above, your only other option is to try and fit it within one of the limited exceptions. These include (amongst others): (1) explicit consent; (2) where the transfer is only occasional and is necessary for you to perform a contract with the individual; (3) you need to make the transfer for important reasons of public interest or to protect a vital interest.
If you previously relied on Privacy Shield in order to transfer personal data to the U.S., you will need to look at whether any of the alternatives are appropriate. If you are unable to rely on any of the above mechanisms, you will need to stop transferring personal data to the U.S. immediately.
For more information on how you can lawfully transfer personal data to the U.S. following the end of Privacy Shield, please contact Lowri Morgan-Macdonald.