EU-US Privacy Shield invalidated - What does this mean for you?

Together we are Forbes


13 October, 2020

Bethany Paliga
Senior Associate

The transfer of personal data from outside the European Union to a third country is prohibited under the General Data Protection Regulation (GDPR) unless certain safeguards are met. These safeguards include:

  • Under Article 45, GDPR - where there is a European Commission adequacy decision which covers the country to which personal data is being transferred.
  • Where there are appropriate safeguards in place such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), subject to the condition that the data subjects have enforceable rights and effective legal remedies (Article 46 & 47, GDPR)
  • Article 49, GPDR applies - a derogation for a specific situation applies, for e.g. the data subject has given their explicit consent

In October 2015, Mr Schrems, an Austrian lawyer and data privacy campaigner, successfully challenged the validity of the EU-US Safe Harbor arrangement as a legal basis for transferring personal data from Facebook Ireland to servers located in the US, belonging to Facebook Inc. Following this challenge, in July 2016, the European Commission adopted a replacement adequacy decision - a new framework for EU-US personal data flows - the EU-US Privacy Shield. Popular services such as Google mail and Zoom relied on the Privacy Shield to transfer personal data from the EU to the US.

In 2018, Mr Schrems reformulated his complaint (Schrems II) arguing that even Privacy Shield, and separately, the Standard Contractual Clauses that are used as an alternative mechanism for enabling data flows from the EU to third countries also failed to protect EU citizen's rights in accordance with EU laws.

In July 2020, the Court of Justice of the European Union (CJEU) concluded that Privacy Shield was invalid on the basis that US security and law enforcement agencies' needs were being prioritised over the rights of EU citizens. The CJEU noted that the laws of the US did not offer privacy protection equivalent to those in the EU adding that the law was disproportionate and failed to provide EU citizens with sufficient remedial rights for any misuse of their personal data transferred to the US.

In respect of Schrems II challenge of the validity of the Standard Contractual Clauses, the CJEU ruled that the controller to processor SCCs remains valid.

What does this mean for your business that transfers personal data to the US?

The immediate alternative for transfer of personal data to the US regulated by the GDPR is to put in place SCCs between your business and the organisation based in the US to which the personal data is being transferred.

Even though the decision of the SCCs remain valid, businesses using controller to processor SCCs or planning to do so, now face additional burdens of assessing whether (in the overall context of the transfer) there are appropriate safeguards in the third country. In ascertaining whether SCCs are an appropriate mechanism, EU data exporters will not only need to take into account the destination of the personal data, but also, in particular, any access of this personal data by public authorities and the availability of judicial redress for individuals, and may need to adopt additional safeguards.

The Information Commissioner's Office (ICO) has issued an updated statement in consideration of the Schrems II judgment issued by the CJEU. In its statement, the ICO has reminded organisations that the judgment has wider consequences than just the invalidation of the Privacy Shield, as the use of SCCs and other safeguarding measures used to lawfully transfer personal data to third countries were also examined. This will inevitably affect data exports from both the EU and UK. Further, organisations should be co-operating with their data importers and reviewing their data protection measures for international transfers. The ICO emphasises on following the recommendation of the European Data Protection Board to conduct a risk assessment as to whether the laws in any third country not just the US, will prevent the data protection terms in the SCCs from being effective.

The ICO confirmed that it is still reviewing the practical implications of the judgment and will continue to provide practical and pragmatic advice and support.

How does this decision affect the UK post Brexit?

The EU and the UK are currently in negotiations in respect of an adequacy decision, as the UK will become a third country at the end of the transition period on 31 December 2020. The European Commission recently echoed that it will use its best endeavours to conclude the assessment of the UK regime by the end of the transition period with a view to adopting an adequacy decision subject to the UK meeting the applicable conditions.

It will be interesting whether the preliminary ruling in Schrems II impacts on those negotiations. What will also be interesting is whether it impacts on the personal data flows from the UK to US at the end of the transition period.

For more information contact Bethany Paliga in our Governance, Procurement & Information department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.

Learn more about our Governance, Procurement & Information department here

ICO Launches Accountability Framework

UPDATE: RCOG Occupational health guidance for employers &…

Contact Us

Get in touch to see how our experts could help you.

Call0800 689 3206

CallRequest a call back

EmailSend us an email

Contacting Us

Monday to Friday:
09:00 to 17:00

Saturday and Sunday: