17th July 2020
The Court of Justice of the European Union (CJEU) has hit the final nail in the coffin of the beleaguered EU-US Privacy Shield. Walker Morris data protection and privacy experts explain the judgment and what this means for transfers to the USA, as well as the potential implications for post-Brexit Britain.
The GDPR requires that transfers of personal data to so-called third countries (that is, countries not in the European Economic Area (EEA)) can only occur where the receiving organisation is subject to comparable data protection obligations to the GDPR.
The Privacy Shield framework is a set of voluntary obligations and principles relating to the protection of personal data, overseen by the US Department of Commerce, that US organisations could elect to be bound by. Organisations that underwent Privacy Shield certification were bound by its requirements and were deemed to provide an adequate level of protection for personal data.
Accordingly, EEA organisations could freely transfer personal data to organisations in the USA that were ‘Privacy Shield certified’ and such certifications formed the basis for significant volumes of personal data transfers.
In 2016, the European Commission deemed the Privacy Shield framework met the standards required under EU law, although that did not prevent Privacy Shield being the subject of much discussion by privacy law commentators and activists, in a similar way to its predecessor, the Safe Harbor Principles. Complaints generally related to the wide powers afforded to public authorities in the USA to obtain access to personal data held by private organisations – particularly in terms of government surveillance – which contrasts with fundamental principles of EU data protection law. Critics argued that the Privacy Shield failed to take sufficient steps to prevent this occurring to data transferred to organisations in the USA.
On 16 July 2020, when considering a complaint brought against Facebook Ireland by Austrian national Maximillian Schrems about this issue, the CJEU decided that the Privacy Shield did not afford adequate protection for personal data transferred to organisations that had self-certified. Following the judgment – known as Schrems II – personal data can no longer be compliantly transferred from within the EEA to organisations in the USA on the basis of Privacy Shield certifications.
While Privacy Shield has been invalidated in accordance with the Schrems II decision, other “appropriate safeguards” remain in place to allow personal data to be transferred to the USA.
One of the key appropriate safeguards is the standard data protection clauses adopted by the European Commission, which are often referred to as the Model Clauses, or Standard Contractual Clauses (SCCs). The SCCs take the form of a prescribed contractual agreement that can be entered into between the two parties involved in a transfer of data where the exporting data controller is in the EEA and the data importer (which can be a controller or a processor) is outside the EEA.
As part of the complaint brought by Mr Schrems, the CJEU considered the validity of the SCCs as a means of transferring data to the USA. The Court concluded “that the validity of [the SCCs] is not called into question by the mere fact that [they] do not, given that they are contractual in nature, bind the authorities of the third country to which data may be transferred.”
The CJEU did not therefore invalidate use of the SCCs, although it did assert that the context in which SCCs are used must be considered by the data exporter. Supervisory authorities (such as the Information Commissioner’s Office (ICO) in the UK) have the power to prohibit data transfers on the basis of SCCs in cases where such transfers are likely to have adverse effects on the protections afforded to relevant data subjects.
While the CJEU only considered controller-to-processor SCCs in Schrems II, the decision is considered to be equally valid for controller-to-controller SCCs.
The ICO is reviewing its guidance following the Schrems II judgment. Until it publishes updated guidance, the ICO advises that organisations currently using Privacy Shield as the basis for personal data transfer from the EEA to the USA should continue to do so. However, organisations not currently using Privacy Shield should not start to do so.
EEA organisations that transfer data to the USA should review data sharing arrangements and identify where these are based on Privacy Shield certifications.
Once these have been identified, the agreements should be reviewed. Some agreements may include provisions that govern what should happen should the Privacy Shield framework be removed. Where the agreement is silent on this topic, the following options could be considered:
European Commission Vice President Vera Jourová confirmed in a statement following the judgment that the Commission will continue work to modernise the SCCs and engage with counterparties in the USA to ensure continued options for safe transatlantic data flows. However, the EU and the USA have fundamental differences when it comes to the conflict between individuals’ rights to privacy and the ability of the security services to obtain and intercept personal data, and these may difficult to align.
US Secretary of Commerce Wilbur Ross also issued a statement, commenting that the Department of Commerce will study the decision to fully understand its practical impacts but that it hopes to be able to limit the negative consequences. He said the Department of Commerce will continue to administer the Privacy Shield programme notwithstanding the recent decision. US organisations that are certified with the Privacy Shield must therefore continue to operate in accordance with its principles.
Comments made in the judgment, and the EU’s general aversion to surveillance, could also pose issues for the UK in relation to Brexit. As part of the Brexit negotiations, the UK is seeking an adequacy decision from the EU – a statement that UK law upholds the same standard for data protection as the EU – to allow uninterrupted data transfers between organisations in the EU and those in the UK once the UK becomes a third country.
However, the UK is also seeking to negotiate a data trade arrangement with the US. If this happens, the EU will be sure to question how personal data can be safely transferred from the EEA to the UK if it may then be freely transferred to the USA. The European Commission believing the UK may simply be used as an outpost between the EEA and the USA for data transfers could inhibit the UK’s ability to obtain an adequacy decision.
The UK Government has also historically had a more relaxed approach to surveillance by public authorities than the EU, which places more emphasis on the rights of individuals. The UK’s Regulation of Investigatory Powers Act 2000, Investigatory Powers Act 2016 and its membership of the Five Eyes programme will be scrutinised by the EU in any adequacy decision process, particularly in light of the Schrems II decision.
It is hoped that the European Data Protection Board will publish clear guidance on this issue in short order as companies seek to understand the wider ramifications. Walker Morris will continue to monitor the evolving situation and provide updates as they develop.
For more details on the specific reasons behind the invalidation of the Privacy Shield or for help and advice on what to do now, please contact any of our specialists who can advise and guide you through the necessary process.
Regulatory & Compliance