13 October, 2020
The transfer of personal data from outside the European Union to a third country is prohibited under the General Data Protection Regulation (GDPR) unless certain safeguards are met. These safeguards include:
In October 2015, Mr Schrems, an Austrian lawyer and data privacy campaigner, successfully challenged the validity of the EU-US Safe Harbor arrangement as a legal basis for transferring personal data from Facebook Ireland to servers located in the US, belonging to Facebook Inc. Following this challenge, in July 2016, the European Commission adopted a replacement adequacy decision - a new framework for EU-US personal data flows - the EU-US Privacy Shield. Popular services such as Google mail and Zoom relied on the Privacy Shield to transfer personal data from the EU to the US.
In 2018, Mr Schrems reformulated his complaint (Schrems II) arguing that even Privacy Shield, and separately, the Standard Contractual Clauses that are used as an alternative mechanism for enabling data flows from the EU to third countries also failed to protect EU citizen's rights in accordance with EU laws.
In July 2020, the Court of Justice of the European Union (CJEU) concluded that Privacy Shield was invalid on the basis that US security and law enforcement agencies' needs were being prioritised over the rights of EU citizens. The CJEU noted that the laws of the US did not offer privacy protection equivalent to those in the EU adding that the law was disproportionate and failed to provide EU citizens with sufficient remedial rights for any misuse of their personal data transferred to the US.
In respect of Schrems II challenge of the validity of the Standard Contractual Clauses, the CJEU ruled that the controller to processor SCCs remains valid.
The immediate alternative for transfer of personal data to the US regulated by the GDPR is to put in place SCCs between your business and the organisation based in the US to which the personal data is being transferred.
Even though the decision of the SCCs remain valid, businesses using controller to processor SCCs or planning to do so, now face additional burdens of assessing whether (in the overall context of the transfer) there are appropriate safeguards in the third country. In ascertaining whether SCCs are an appropriate mechanism, EU data exporters will not only need to take into account the destination of the personal data, but also, in particular, any access of this personal data by public authorities and the availability of judicial redress for individuals, and may need to adopt additional safeguards.
The Information Commissioner's Office (ICO) has issued an updated statement in consideration of the Schrems II judgment issued by the CJEU. In its statement, the ICO has reminded organisations that the judgment has wider consequences than just the invalidation of the Privacy Shield, as the use of SCCs and other safeguarding measures used to lawfully transfer personal data to third countries were also examined. This will inevitably affect data exports from both the EU and UK. Further, organisations should be co-operating with their data importers and reviewing their data protection measures for international transfers. The ICO emphasises on following the recommendation of the European Data Protection Board to conduct a risk assessment as to whether the laws in any third country not just the US, will prevent the data protection terms in the SCCs from being effective.
The ICO confirmed that it is still reviewing the practical implications of the judgment and will continue to provide practical and pragmatic advice and support.
The EU and the UK are currently in negotiations in respect of an adequacy decision, as the UK will become a third country at the end of the transition period on 31 December 2020. The European Commission recently echoed that it will use its best endeavours to conclude the assessment of the UK regime by the end of the transition period with a view to adopting an adequacy decision subject to the UK meeting the applicable conditions.
It will be interesting whether the preliminary ruling in Schrems II impacts on those negotiations. What will also be interesting is whether it impacts on the personal data flows from the UK to US at the end of the transition period.
For more information contact Bethany Paliga in our Governance, Procurement & Information department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.