The EU-US Privacy Shield was invalidated on the 16th of July 2020 by a ruling of the EU Court of Justice (CJEU). This ruling was done in the case known as Schrems II (C-3111/18). This case challenged the processes for personal data transfers between the EU and the US on the basis to hold that the Privacy Shield transfer mechanism does not ensure compliance with the level of protection required by the EU law.
This is a landmark decision with a definite ripple effect to it as the Privacy Shield is one of the most extensively applied mechanisms that allows the transfer and storage of EU personal data by US commercial companies.
Amongst other facts, the CJEU found that there was no provision under the Privacy Shield for European data subjects to have actionable rights in court against the U.S. Government for violations, thus lacking the adequate redress procedure as required by EU Law. This decision to invalidate the Privacy Shield has rendered the US as a non-adequate country and no special access to Europe’s personal data streams.
What is the Privacy Shield?
The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.
On July 12, 2016, the European Commission deemed the EU-U.S. Privacy Shield Framework adequate to enable data transfers under EU law (see the adequacy determination). On January 12, 2017, the Swiss Government announced the approval of the Swiss-U.S. Privacy Shield Framework as a valid legal mechanism to comply with Swiss requirements when transferring personal data from Switzerland to the United States.
Impact of the invalidated Privacy Shield
While the Privacy Shield was invalidated, the Standard Contractual Clauses (SCCs) remain intact for the moment. Whereas formerly there was a mentality of “sign and forget with respect to SCCs; there is now a reinforcement on the obligation of data exporters and importers to guarantee an adequate level of protection for personal data in the importer’s jurisdiction. Where there can be no guarantee of adequate protection; the exporter and supervisory authority are required to invalidate the SCC. For thousands of SCCs in place, this would result in further scrutiny.
- U.S. companies that rely on the Privacy Shield must explore other data transfer options to avoid GDPR violations
- U.S. companies that rely on the SCCs are now subject to further scrutiny.
- EU Businesses that export data into the U.S. (including those that work with data processors in the U.S.) can still use SCCs for these transfers.
GDPR (Articles 45 and 49) provide additional transfer mechanisms, including binding corporate rules, explicit consent from data subjects for each transfer, or when the transfer is necessary for the performance of a contract with the data subject.
What does this mean for the UK?
With an existing difficult process for the UK seeking an adequacy decision from the EU, the fall of the Privacy Shield adds another complication. The UK is aiming for unrestricted data transfers with both the EU and the US. With the EU this would have been achievable via an EU adequacy decision, whereby the European Commission would formally recognise the UK as a haven for data transfers.
With the US this was going to be achieved by the UK and US essentially copying the EU-US Privacy Shield, which had been “rolled over” in UK law before Brexit. The CJEU’s ruling has undermined these plans.
What should we expect next?
We are practically in a waiting game to see how all this works out as the impact has yet to be widely felt.
The CJEU has reiterated how EU standards of data protection must travel with the data indicating that there are wider implications than just the invalidation of the Privacy Shield.
FAQs on the invalidation of the Privacy Shield have been issued by the EDPB. With this judgement, supervisory authorities have an important role to play as overseeing international transfers. The EDPB has recommended organisations to conduct a risk assessment as to whether the SCCs provide protection within the local legal framework. The ICO states, “We will continue to apply a risk-based and proportionate approach in accordance with our Regulatory Action Policy.”
As the EU tightens their policies in the US, we can assume that they will do the same with the UK. Although the judgment has no impact on the legal criteria for adequacy, it will definitely affect the dynamics of political assessments. A precedent has been set here whereby the CJEU will readily invalidate adequacy decisions based on national security and surveillance legislations being deemed unfit by European standards; this leaves the UK in a position of uncertainty for an adequacy decision even with the rigorous enforcement of GDPR post-Brexit.