Data transfers between the UK and the US covered by the Privacy Shield system do not comply with the General Data Protection Regulation (GDPR), the European Courts of Justice have declared today.
What is Privacy Shield?
Privacy Shield is a system administered by the International Trade Administration and designed by the US Department of Commerce and the EU Commission to provide a way to transfer data from the European Economic Area (EEA) to the US in compliance with the GDPR. Privacy Shield was previously given the status of “adequacy” by the European Commission on 12 July 2016, meaning that the EU Commission had declared that the provisions under Privacy Shield complied with the GDPR (Commission Decision 2016/1250).
Privacy Shield has underpinned transatlantic digital trade since its introduction, and made transfer to EEA personal data to the US relatively simple, providing the receiving US entity was registered under the Privacy Shield system.
What has happened?
This morning (Thursday 16 July 2020) the European Courts of Justice (ECJ) have declared that the Privacy Shield system currently in use for the transfer of personal data from the EEA (and Switzerland) to the US is not compliant with the GDPR.
The complaint was referred to the ECJ following a complaint by Max Schrems (who has also been the originator of other complaints against Facebook since 2011).
In the same ruling, the ECJ have also confirmed that the use of so-called Standard Contractual Clauses (SCC) remain valid for the transfer of personal data outside of the EEA providing the third country “ensures an adequate level of protection”.
The ECJ decision is based on the finding that the US surveillance regime does not respect the basic rights promised to EU citizens under the GDPR, and that it puts the US government rights over the EU citizen’s individual rights under the GDPR.
Whom does it affect?
Businesses and organisations who (i) transfer personal data (as defined by the GDPR) from the EEA to the US, or (ii) transfer personal data that concerns individuals based in the EEA to the US.
So, UK based businesses or organisations transferring personal data to the US will be affected. This includes organisations simply using US based servers for data storage.
Also affected will be US entities dealing with EEA citizens by providing, say, services online. Even the sale of products to EEA based consumers will involve some processing of personal data (names and delivery addresses, for example).
Finally, organisations or business who have bought IT systems that rely on Privacy Shield for data transfer or storage (this is perhaps less obvious) will be affected.
Such transfers of personal data, previously managed through Privacy Shield, will need to be revisited to ensure GDPR compliance.
How does it affect those people/businesses?
Organisations can no longer rely on Privacy Shield in order to transfer data to the US – if they do so, they will be making unlawful data transfers.
The immediate effect may be that businesses and organisations decide to relocate their data storage to remain physically within the EEA, in order to avoid transferring personal data to a third country (meaning a non-EEA country) at all, although it seems many organisations may decide to rely on SCC for the transfer of personal data from the EEA to the US.
It should be noted that the ECJ have reiterated that any transfer of personal data based on SCC (which are contractual provisions binding the receiver of personal data) may only be made on the basis that the receiver of personal data can ensure there is an “adequate level of protection” for the personal data in accordance with the GDPR.
How that sits against the backdrop of US government surveillance of personal data is unclear, although any organisation transferring data to the US relying on SCC will only be doing so validly if there are “effective mechanisms in place to make it possible… to ensure compliance with the level of protection required by EU law” (quoted from the ruling by the ECJ).
Where transfers are between different members of a multinational company, future transfers of data to the US could be covered under the “Binding Corporate Rules” provision of the GDPR, which requires the multinational to put in place adequate measures and safeguards to provide a framework for intra-group transfers of data. These arrangements must be submitted to the local data protection authority for their authorisation. This process takes some time to set up and requires the multinational to continue to review its framework for personal data transfer management.
In the longer term, sectors or members of industry bodies could choose to set up codes of conduct, which, much like binding corporate rules, would need to be authorised by the data protection authority to enable transfers of personal data to the US to accredited members of the same sector/industry. This will also take some time to organise, but may be practical to enable smooth arrangements in some industries, such as travel.
Finally, it remains to be seen what the US response is to this ECJ ruling and whether the US government will decide to amend the protections afforded under Privacy Shield (or introduce a new system) to comply with GDPR.
What should businesses who transfer personal data to the US do immediately and in the medium term ?
In order not to fall foul of the GDPR, transfers of personal data from the EEA to the US need to be reviewed immediately and potentially stopped to avoid unlawful transfers; we await the response to this ECJ ruling from the Information Commissioner’s Office in the UK for some guidance on practical solutions that they envisage.
In the medium term, SCCs seem to be a possible way forward, although not entirely free of doubt or risk.
Is the situation likely to develop or change in the near future?
Guidance from local data protection authorities is expected to follow and assist; in the UK, Brexit may have an impact on the situation.
Currently, the Data Protection Act 2018 (DPA) is aligned with the GDPR and, on Brexit, the UK appears to be aiming to receive an adequacy decision from the EU Commission to enable data transfers between the UK and the EEA to continue as before. Until Brexit is finalised, the adequacy decision cannot be granted, as the European Commission can only consider an adequacy decision once the UK is a third country under the GDPR.
Of course, following Brexit, there will be room for the UK to deviate from the GDPR and decide to align itself with the US on data transfers, possibly approving Privacy Shield as a mechanism that satisfies the DPA and enables transfers of data between the UK and the US. The risk here will be that the EU Commission and courts may then retract any “adequacy” decision they might have reached, and that data transfers with the EEA will be called into question.
It appears that data transfers and data protection will remain a hot potato for some time.