Last Thursday, in a landmark decision, the Court of Justice of the European Union (CJEU) invalidated Privacy Shield, the EU-US agreement that allows unrestricted transfers of personal data from the EU to over 5,000 certified organisations in the US.
The implications of this decision are significant and wide-ranging: not only does this create uncertainty regarding data transfers to the US, but it also puts pressure on the US to reform its surveillance practices and creates problems for the UK’s position post-Brexit as an international business and data hub.
This article looks at what the CJEU’s decision means for your business’s transfers of personal data from the UK or EU to the US.
What is Privacy Shield?
Generally, personal data flows from the EU to non-EU countries (with, until the end of the Brexit transition period, the exception of the UK) are prohibited under the General Data Protection Regulation (GDPR) unless certain safeguards are put in place to ensure adequate data protection.
Privacy Shield is a framework permitting transfers of personal data from the EU and the UK to certified US-based organisations that have agreed to higher standards of data protection than those currently required under US laws. It requires greater co-operation between the US and European data protection regulators. Privacy Shield replaced a previous framework called Safe Harbor, whose validity was successfully challenged in the CJEU by a data privacy campaigner called Max Schrems. Popular services such as Zoom and Gmail rely on Privacy Shield.
Why was Privacy Shield invalidated?
After Safe Harbor was struck down, Schrems filed a second case in 2018, arguing that even Privacy Shield and, separately, the European Commission’s Standard Contractual Clauses (which are used as an alternative mechanism for enabling data flows from the EU to third countries) also failed to protect EU citizens’ rights in accordance with EU laws.
Last December, the CJEU’s Advocate General raised questions over Privacy Shield’s validity in light of US surveillance practices. Last week, the CJEU concluded that Privacy Shield was invalid on the grounds that it prioritised the needs of US security and law enforcement agencies over the rights of EU citizens. The CJEU found that US surveillance laws meant that US-based organisations did not offer privacy protections equivalent to those in the EU, adding that these US laws were disproportionate and failed to provide EU citizens with adequate rights of redress for any misuse of their personal data transferred to the US.
Although Schrems had also challenged the validity of the Standard Contractual Clauses (SCCs), the CJEU did not abolish these.
What should my business do now in respect of transfers of personal data to the US?
Your immediate options regarding your business’s transfer to the US of personal data regulated by the GDPR are as follows:
- Put in place Standard Contractual Clauses (SCCs) between your business and the US-based organisation to which you wish to transfer personal data.
This may be easier said than done, however, if your business acts as a processor on behalf of another entity and the US-based organisation to which you are transferring personal data is your sub-processor, since no processor-to-processor SCCs currently exist. Our specialist data privacy team can advise on how to handle this.
It is also worth noting that last week’s ruling means that the days of SCCs in their present form could be numbered, since it casts doubt over their continued operation as a reliable and long-term mechanism for transatlantic data transfers. In particular, data exporters using SCCs are now asked to demonstrate, before transferring data to the US, that the transferred data will be afforded equivalent levels of protection as within the EU. Practically, this may be difficult in light of current US surveillance laws. US-based organisations receiving personal data from the EU and the UK under SCCs must inform the data exporter of any inability to ensure equivalent levels of protection, in which case the exporter will be required to suspend or terminate the data transfer under the SCCs.
- Await further guidance from the Information Commissioner’s Office.
The UK’s data protection and privacy regulator, the Information Commissioner’s Office (ICO), issued a statement last week asking affected businesses in the UK who already rely on Privacy Shield to continue doing so until new guidance is available. US organisations who are Privacy Shield-certified will still be required to meet their obligations under Privacy Shield unless they withdraw from it (in which case, they will need to return or delete the transferred personal data or implement another authorised mechanism to protect the data).
However, choosing to hold tight for now will not be your decision to take if your business is a processor (rather than controller) of personal data that is being exported to the US, and you will not be able to rely on the ICO’s statement for any transfers to the US from EU countries outside the UK (such as the Republic of Ireland).
In addition, the ICO has asked that businesses do not start using Privacy Shield now that it has been invalidated.
- Restructure your data flows so no personal data is transferred to the US.
Following last week’s ruling, Schrems stated that “the US will have to seriously change their surveillance laws if US companies want to continue to play a major role on the EU market”. In the current political climate, however, it seems unlikely that the US will overhaul its security and surveillance laws and practices simply to facilitate a new transatlantic data transfer framework. While restructuring your data flows so that no personal data is transferred to the US might sound like a headache, as well as a costly exercise, this could be worthwhile in the long run if, now that Privacy Shield is not an option, the current SCCs are unworkable for EU-US transfers.
How does this affect the UK post-Brexit?
Last week’s judgment further complicates data flows in and out of the UK once the Brexit transition period ends on 31 December 2020.
With nearly 12% of global cross-border data flowing through the country, the UK is a major international data hub. Unsurprisingly, the UK wishes to maintain unrestricted transfers of personal data with both the EU and the US after Brexit. It had been hoped that the UK would receive an adequacy decision from the European Commission so that transfers between the UK and EU would continue much as they do now.
However, the UK’s own Security Service has surveillance powers under the Investigatory Powers Act 2016 that have caused concern about their compatibility with data privacy rights under the GDPR, and if the UK additionally seeks to enable unrestricted transfers of personal data with the US, it is difficult to see an adequacy decision being granted. If the UK does not receive an adequacy decision by the end of 2020, then British businesses will most likely have to put in place SCCs with EU-based organisations (to the extent this is possible) in order to enable continued personal data flows.
In this way, the CJEU’s ruling could mark the beginnings of a privacy and data trade war between the EU and the US, with a post-Brexit Britain caught in the middle and having to make difficult choices.
Why does this matter to my business?
Under the GDPR, data protection regulators in the UK and the EU (including the ICO) have extensive enforcement powers, including the ability to fine businesses up to 4% of the worldwide turnover or €20 million (whichever is greater) for contraventions of the legislation. A UK version of the GDPR, which will replicate the existing provisions, will apply here after Brexit, so the ICO is expected to continue to be able to impose fines where it considers appropriate. If your business model necessitates or relies on global transfers of personal data, it is therefore crucial to ensure and maintain compliance.