Privacy Shield is no longer deemed to provide adequate security for the transfer of personal data from to the United States. The judgment handed down by the Court of Justice of the European Union (CJEU) in the case known as ‘Shrems II’, is the second case in recent years which has resulted in an adequacy decision relating to the US being invalidated. The CJEU also looked at the use of the Standard Contractual Clauses (SCC) which, although remain valid, are subject to additional obligations by both exporters and importers of personal data.
Shrems I and Shrems II
‘Shrems I’ concerned a complaint to the Irish supervisory authority by Mr Shrems as to Facebook’s reliance on the US-EU Safe Harbour scheme to legitimise the transfer of personal data from Europe to the US, claiming that the scheme did not sufficiently protect personal data whilst in the US. This resulted in the invalidation of the Safe Harbour scheme in 2015.
This latest judgment concerned the well-known ‘Shrems II’ case, under which the claimant, Mr Shrems, again challenged the legitimacy of transfers of personal data made by Facebook to its US entity. Proceedings were brought before the Irish High Court and subsequently referred to the CJEU.
The CJEU, in delivering its judgment earlier this week, held that Privacy Shield can no longer be relied upon to lawfully transfer personal data from Europe to the US. In reaching its decision, the CJEU looked at the European Commission’s considerations when assessing a decision of adequacy relating to a third country. A third country is one that is situated outside the European Economic Area and where no existing decision of adequacy as to the protection of personal data exists. These considerations would include, for example, access to the transferred personal data by public authorities within the recipient country, and the ability for the data subjects to effectively exercise rights similar to those under the GDPR. In its assessment, the CJEU did not consider that US law sufficiently set out the relevant limitations on the powers of the intelligence services within the US, nor did it provide effective rights for those individuals whose data had been transferred.
Standard contractual clauses
SCC were also considered under this case and, although deemed to continue to be a lawful mechanism for the transfer of personal data to a third country, the CJEU made clear that SCC alone may not be sufficient; there is an obligation on the exporter of the personal data to fully consider the local laws of the receiving country in light of those considerations of the European Commission referred to above.
This means that, where SCC are intended to be relied upon, the exporter of the personal data needs to ensure that local laws of the receiving country are sufficiently robust to adequately protect the personal data transferred, in particular, with reference to the access to personal data by public authorities within the receiving country, and the provision of effective rights and remedies available to data subjects. If it is determined that such adequate protection does not exist, further measures may be required to be implemented by the exporter to safeguard the personal data.
Where an importer of personal data is required by local laws to disclose that personal data to public authorities, it would need to notify the exporter, following which the exporter would need to suspend / terminate the transfer or forward any such notification to the relevant supervisory authority (in the UK, the Information Commissioner’s Office (the ICO). This will no doubt result in further assurances being sought from importers of data as to their ability to comply with the obligations set out in the SCC and their ability to provide an appropriate level of protection to the personal data in light of local laws.
The UK government has issued a statement expressing its disappointment at the decision invalidating the adequacy of the EU-US Privacy Shield, however it is working with the ICO to address the impact of the ruling.
Likewise, the ICO has issued a statement saying that it stands ‘ready to support UK organisations and will be working with the UK Government and international agencies to ensure that global data flows may continue and that people’s personal data is protected.’
This decision clarifies existing law with respect to Privacy Shield in that it is no longer a lawful mechanism to be relied upon when transferring personal data from the EU to the US, however further guidance is required from the supervisory authorities and the European Data Protection Board for organisations to enable them to lawfully transfer personal data to the US and the additional suitable safeguards that may be implemented to supplement the SCC, where required.
All those involved in transfers of personal data from Europe to the US should regularly check for updated guidance from the ICO or other relevant supervisory authority.
In the meantime:
- Identify all existing transfers of personal data;
- where transfers rely on Privacy Shield, other available safeguards that are deemed appropriate under the GDPR will need to be considered and an alternative identified; and
- where transfers rely on SCC, each transfer will need to be assessed in light of the laws of the destination country to determine whether the transfers should be suspended or terminated, or whether additional protections require implementation. This is likely to require the exporter and importer to work together and may result in the exporter seeking further assurances from the importer that it can comply with its obligations within the SCC.
If you have any questions or would like any further information regarding the above, please do get in touch.