July 16, 2020
The European Court of Justice has ruled that the decision adopted by the European Commission in 2016, which endorsed the EU/US Privacy Shield for the transfer of data from the EU to the US, was invalid. The effect of the decision is that any business which currently relies on the Privacy Shield for the transfer of personal data between the UK or EU to the USA can no longer do so, with immediate effect, and should take steps now to put in place alternative means of transferring personal data across the Atlantic.
The decision was made on a number of grounds, but in essence the Court found that the extent to which United States law permits access and use of personal data by US public authorities goes beyond what is strictly necessary, and therefore United States law does not protect personal data to the standard required in the EU.
The immediate problem faced by businesses relying on the Privacy Shield is what alternative protection to set up for Transatlantic data transfers. The most obvious option is to put in place the appropriate European Commission Standard Contractual Clauses (SCCs) by way of a binding contractual arrangement between the parties. While that could provide an immediate solution, it seems very possible that the SCCs will also be struck down as providing no better protection for transferred data than the Privacy Shield, so they should be regarded as a short-term solution.
It is also the case that a degree of due diligence is required by parties before using the SCCs to ensure that they do in fact give the required level of protection in the jurisdiction in question, and now that the Privacy Shield has been struck down we find it difficult to see how the SCCs will survive in their current form for the reason given above.
As a first step, we would advise all businesses to check their arrangements with all US-based service providers to establish whether the arrangement relies on the Privacy Shield. Where this is the case then SCCs should be implemented without delay.
Businesses should then consider putting in place Binding Corporate Rules (BCRs) in the case of transfers to group companies, including in the USA. However BCRs take time to set up and must be approved by the relevant supervisory authority, so it is advisable to put SCCs in place in the interim.
Businesses should also consider whether any of the exemptions under Article 49 of the GDPR may apply to their transfer. Perhaps the most likely is the exemption that applies where the transfer is necessary for the performance of a contract between the data controller and the data subject, or a contract in the interest of the data subject.
We would be happy to advise on the steps businesses need to take both today and in the near future as a result of this decision. If you need advice on what you need to do as a result of this decision, please contact any member of our Data Protection team for advice or information.