Landmark CJEU Ruling: EU-US Privacy Shield No Longer Valid
In a landmark ruling in “Schrems II” by the European Court of Justice on 16 July 2020, it was declared that the EU-US Privacy Shield is no longer valid when transferring personal data from the EU to the US on the basis that it does not fully protect EU citizens given the surveillance by US agencies. The Privacy Shield previously acted as a mechanism which complied with data protection requirements allowing transfer of personal data from EU companies to US companies.
What does this mean for businesses?
Any business that is currently relying on the US Privacy Shield to transfer personal data will need to take action. A quick fix may in certain circumstances be to enter into a new contract using the EU approved standard contractual clauses (“SCC”) to transfer personal data to the US which was upheld to be valid in the ruling. But there are practical implications to comply with the SCC which may or may not be feasible for the business. In addition, when using the SCC, businesses must now also verify whether the law in the recipient country ensures adequate protection under EU law, and additional safeguards might be required. Bear in mind also that the SCC are themselves under review to bring them in line with the EU GDPR.
For any clients currently relying on the Privacy Shield, consideration should be given to the following:
If you can avoid transferring personal data to the US, consider if you can:
Immediately cease to transfer personal data to the US; or
Move operations to transfer personal data to somewhere else with adequate protection under EU law – this of course may not be feasible in the short term (or at all) depending on IT / provider infrastructure, business operations, etc.
If you cannot avoid transferring personal data to the US, then consider placing SCC instead with the relevant provider and whether additional safeguard is required (e.g. encryption). The provider will need to understand and comply with the terms of the SCC (which cannot be amended) which in itself may require implementation of certain IT / security processes or might not be feasible. There may also be commercial implications - providers may want to charge more for any additional burden on them as a result of the SCC for example.
In the short term, if personal data has to be transferred to the USA, the SCC (with relevant additional safeguard if required) may be the quickest route to compliance subject to any further rulings to the contrary, but further analyses will need to be undertaken.
Next Steps
Given the recent ruling that the US Privacy Shield is no longer a lawful mechanism under EU law, it is vital that businesses review any current arrangements that involve transfer of personal data to the USA or outside of the EEA.
Our specialists can help and provide advice on:
minimising your risks of non-compliance
legal mechanisms of transferring personal data and their implementation
switching providers of data processing services
putting together an appropriate data protection agreement for your existing or new provider/s for data transfers to the US
renegotiating commercial contracts resulting from changes of operations
other legal implications arising from these changes
any implications with respect to Brexit