The European Court of Justice has ruled the well-established agreement relied on by thousands of companies to transfer personal data across the Atlantic – the Privacy Shield Agreement – is invalid. According to the ECJ, the agreement doesn’t sufficiently protect personal data transferred from the EU to the US from being accessed by authorities there. While the precise implications of the decision are still being calculated, they are likely to be far-reaching. This important decision effectively means that the United States is no longer able to import data from the EU because its data protection measures are not as robust as the standards set by GDPR.
What is the Privacy Shield?
GDPR means personal data of EU citizens can only be transferred internationally if stringent safeguards are met. The Privacy Shield enabled transferal of data to 5,000 certified agencies in the US that met higher levels of data security than required by domestic US law. (The Privacy Shield replaced the earlier Safe Harbor agreement). In practice of course the Privacy Shield meant high profile companies like Zoom could operate smoothly. But it also had advantages for small and medium-sized businesses because complying with it was relatively straightforward and cost-effective.
Who challenged the Privacy Shield?
An Austrian data privacy activist, Maximillian Schrems objected to the way his personal data was being used by Facebook Ireland (the Facebook affiliate that processes the information of Facebook users outside the US). In particular he took issue with the transference of his data by Facebook Ireland to Facebook Inc., in the US where US agencies could have access to it in a way that was incompatible with GDPR. (To clarify: because Facebook Ireland, which gathered his data in the first place is located within the EU it is subject to the strict GDPR data protection regime).
What did the ECJ decide about the validity of the Privacy Shield?
The European Court was clear: the Privacy Shield Agreement doesn’t restrict US authorities from accessing data transferred from the EU “in a way that satisfies requirements that are essentially equivalent to those required under EU law”. It based the decision on a number of factors, including:
- US national security and what is in the US public interest are given greater weight under the agreement than the fundamental rights of EU citizens, This was unacceptable
- US authorities had the powers of surveillance over transferred data to a degree that was inconsistent with EU law
- There is no adequate ombudsman procedure that EU citizens could avail of in the US if they are concerned about how their data is being processed by US authorities
What do I now do if my business transfers data to the US? EU standard contractual clauses (SCCs)?
In the UK the ICO has reiterated the European Data Protection Board’s recommendation that from now on companies wishing to transfer data abroad – to the US or elsewhere – must carry out a risk assessment to establish whether the SCC provides enough protection within the local legal framework.
Remember – the decision that the Privacy Shield Agreement is invalid is of immediate effect. Businesses should now bear in mind the extra risk involved when transferring data to the US and take appropriate steps. For now, companies may need to rely on the existing backstop-type procedure of using EU standard contractual clauses (SCCs). These can ensure adequate data protection when transferring data to the US. Companies already need to use this mechanism where there is a flow of data fro the EU (or UK) to countries such as China or India. In its judgment on the Privacy Shield Agreement the ECJ confirmed that appropriately drafted SCCs remain an acceptable way to ensure adequate data security.
It’s important to note that relying in SCCs will not be possible in every case. It will be necessary to examine the regulatory regime in the country into which the data is being imported to ensure that the company there can in fact comply fully with the SCC when processing the data. If it can’t some other way to validly transfer the data must be found– for example by relying on the consent of the individual data subject.
How can we help?
UK businesses now face pressure on a range of fronts. The ICO has indicated that it will react pragmatically and proportionately to the ECJ decision to invalidate the Privacy Shield. At Nath Solicitors we can help with drafting SCCs and assist with any appropriate risk assessments to ensure any data you transfer is adequately secure. Please contact us on 0203 983 8278 or use the covid19 emergency contact form to get in touch online.
