For nearly four years, since August 2016, we have relied on Privacy Shield to make transfers of personal data from the EEA to the US; Privacy Shield was considered to be compliant with the General Data Protection Regulation 2016/679 (GDPR), so US companies could sign up to Privacy Shield and be automatically deemed to meet the high standards of the GDPR in protecting personal data.
But in July, the European court ruled that Privacy Shield did not provide an “essentially equivalent protection” of personal data when compared with the GDPR. The US law permits surveillance of data even where Privacy Shield was the method for transfer, which contravenes the protections granted by the GDPR to EEA citizens’ personal data. The court ruling has entirely undermined Privacy Shield and overnight invalidated it as a means of lawfully transferring personal data from the EEA to the US.
Currently, and for the foreseeable future, the UK remains aligned with the EU on data protection law and policy, so the European court ruling has importance for all transfers of personal data out of the UK to the US, as well as to other third countries.
SCCs and BCRs
In its ruling, the European court emphasised that the use of Standard Contractual Clauses (SCCs) could not be relied on to replace Privacy Shield as a ‘safe’ or GDPR-compliant means of personal data transfer, as the US laws permitting surveillance of data would have primacy over any private contractual arrangements between the parties such as SCCs.
The European courts stated that, unless the personal data exporters and personal data importers could find a means of ensuring the security of the personal data in accordance with the GDPR, despite the third country’s (in this case, the US) national approaches to the treatment of personal data, any transfer of personal data of EEA citizens into the third country would be unlawful.
Next, the Binding Corporate Rules (BCRs) came into question. These were one of the favoured ways of transferring personal data from the EEA to the US within a large international corporate group; here, the international corporate group put together their own GDPR compliant arrangement for submission to, and approval by, their local supervisory authority. Initially, it was considered that BCRs, having had formal approval from the local supervisory body, would remain GDPR compliant as a means of personal data transfer, but these are now subject to the same caveats as SCCs.
In fact, all measures for transfer into the US must be scrupulously investigated and reconsidered in the light of the domestic law allowing surveillance of data.
How can we continue to transfer personal data from the EEA to the US?
We can transfer personal data originating from EEA citizens to the US;
- where we have the individual data subject’s explicit consent to the personal data transfer envisaged, and where the data subject has been notified that the US does not meet the same high standards as the GDPR requires. A data subject can consent to the transfer of their personal data to enable the transfer to take place legally, and this may be a sensible path where the personal data relates to a particular individual’s private or business affairs.
- where the transfer is objectively necessary for the performance of a contract between the data subject and the data controller; however the transfer of personal data in this way must be occasional only – if repeat transfers take place, the data controller is expected to put other methods in place, for example requiring explicit consent as set out above.
- where the transfer is occasional and is in the public interest (not just a private contractual interest of one of the parties).
What about other third countries?
The European court talked (in their ruling on Privacy Shield) of third countries generally, rather than only the US, requiring that personal data exporters and personal data importers should consider the third country’s data protection regimes and processes in order to assess whether they, as data controllers under the GDPR, could ensure adequate protection for the personal data they were transferring out of the EEA.
This means that transferring personal data out of the EEA into any third country must now be viewed with scrutiny as to (i) whether the transferring parties can ensure equivalent levels of protection for personal data in the third country as the GDPR provides in the EEA and (ii) what other supplemental measures the transferring parties should take to ensure the personal data is kept as securely and privately as proscribed by the GDPR.
We expect further guidance from the Information Commissioner’s Office (ICO) on this point, as they are the supervisory body charged with enforcing GDPR compliance and equivalence.
Which are the best supplemental measures to take?
Which supplemental measures are required must be assessed by the parties concerned, on a case by case basis, and may be made up of different legal, technical or organisational measures. Little guidance on such measures has been provided by the ICO to date. Factors to weigh up will include:
- the nature of the personal data concerned
- the potential damage or prejudice that would flow from unauthorised access to the personal data in all the circumstances
- the third country concerned.
The key point to retain, is that the GDPR sets out to protect EEA citizens and their data privacy, and prevent damage to each data subject that might flow from unauthorised access to their data – and this must be the guiding reference.
What is a data controller’s best approach?
As a data controller, you should ensure that you are aware of where all personal data you control and are responsible for, is processed. Is the personal data stored in the EEA? Who else is involved in data processing on your behalf? Where do your data-processors store or process or access the personal data they process on your behalf?
A data-controller is principally responsible for the treatment of personal data they collect and they must authorise the use and processing of all such personal data (under Article 28(3) GDPR) in a controller-processor agreement.
Including clauses prohibiting the processing of personal data outside of the EEA (or in certain third countries) is one method of showing that a data-controller has taken steps to ensure that the personal data under their control has been appropriately managed. Forbidding transfers of personal data to the US may be necessary, and ensuring that existing controller-processor agreements are amended to reflect this would be a good step.
Finally, if despite all of these risks and practical and legal issues, a data-controller or data-processor remains convinced of the need to transfer personal data to the US (or another third party where personal data security cannot be guaranteed to be equivalent to the GDPR standard), and continues to do so, they must notify the ICO of this transfer.