- Transfers of personal data to the US of people in the UK or EU that rely on the Privacy shield are unlawful with immediate effect
- This doesn’t necessarily mean all transfers to the US are unlawful
- Transfers relying on SCCs, BCRs, or Explicit Consent may be okay – although the challenges with the primacy of US domestic law remain
- This decision potentially impacts transfers to any Third Country that has not been granted Adequacy status by the European Commission
- Post-Brexit, the UK could experience the same fate unless there is an adequacy decision in our favour
What you need to know
On 16 July 2020 in what’s colloquially known as Schrems II, the European Court of Justice (CJEU) held that the Privacy Shield between the EU and the US is invalid. This means all transfers of personal data to the US that rely on the Privacy Shield are illegal with immediate effect. There is no grace period.
By way of background, under the GDPR (implemented in to the UK by way of the Data Protection Act 2018), personal data of people in the UK and EU may only be transferred to a Third Country if certain conditions are met. This is to ensure that the rights and protections given under the GDPR are held intact no matter where their personal data travels.
Where a country has been granted Adequacy status by the European Commission (under Article 45) for example, we can transfer personal data relatively freely, provided we comply with the other provisions of the GDPR. This is because the protections in that country are deemed by the Commission to be essentially equivalent to the protections set out in the GDPR. A list of countries granted Adequacy status can be found here. As a country the US was not on list. Yet there was something called the Privacy Shield Framework that did make it on to the list. The Privacy Shield acted as a workaround. It was like a conduit between the EU and US – allowing transfers of the personal data from the EU to those US companies who were on the Privacy Shield list. Again, the idea being that those companies respected the protections granted under the GDPR.
There have been series of hearings testing this area over the years. And until now, the Privacy Shield has been upheld. Yet on 16 July, the CJEU held the Privacy Shield invalid.
Why the change?
So why the change? The short answer – this is about the surveillance and intelligence gathering powers and practices utilised by the US government. Yes, the companies on the Privacy Shield list are (self) certified as having GDPR equivalent safeguards. But US domestic law (for example under FISA) grants powers to their intelligence agencies to bulk collect and search through incoming internet traffic. The agencies can also compel electronic communication service providers (for example Telcos, internet service providers, cloud storage and social networks) to turn certain data over and put gag orders on them. This can be done without warrants or other checks and balances ensuring necessity and proportionality. In most cases, the individuals (indeed the companies transferring their data) wouldn’t know this is occurring, yet even if they come to know somehow, there’s no effective legal recourse available to them in the US.
So what does this mean for my business?
Even if you operate a UK only business, it’s likely that you rely on technology that operates outside the UK and the EU. This means it’s also likely that you are already transferring personal data to Third countries including the US.
You may have been relying on the Privacy Shield. If so, you’ll need to re-assess. To recap, when making a transfer of personal data to any Third Country, you need to meet one of the conditions listed in the GDPR. The Privacy Shield was one that permitted transfers to certain US entities (based on Adequacy). Other possible avenues are set out in Articles 46-49 of the GDPR and include Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs) or in exceptional circumstances, Explicit Consent. The CJEU’s ruling only invalidates the Privacy Shield. Nothing has necessarily changed if you were relying on Explicit Consent, SCCs or BCRs – however it worth sharing that the problems with the primacy of US surveillance and intelligence laws remain and SCCs and BCRs will likely also need to be re-assessed.
What to do now
Options include – stop all transfers to the US (!) or manage risks as best you are able. There are already talks between the US and EU regarding an enhanced Privacy Shield so a workaround may be forthcoming. Yet this may take time. If this is an area of particular concern, we suggest the following steps to get started:
- Isolate and review your Third Country data flows – focusing particularly on the US for now
- List out who are you transferring personal data to and where they are located
- Remember this is likely wider than you might think. For example, it is not only the US entities you transfer data to who are based in the US. Also include US entities based in the EU (because US domestic laws have jurisdiction over them)
- Look at what data are you transferring. How much is personal data?
- Identify the current legal basis for personal data transfers (see Articles 44-49 GDPR). For example, are you relying on Adequacy/Privacy Shield? SCCs? BCRs? Explicit Consent?
- Suspend data transfers if you or one of your partners use the Privacy Shield.
- Can you minimise the footprint? Ask are these transfers strictly necessary?
- Are there elements that must be transferred? Are there elements that don’t need to be transferred?
- For unavoidable transfers – ask, how much can you pseudonymise? Can you encrypt? Can you use access controls to help ensure only the recipient can read the content?
- Then determine the best alternative legal basis in place of the Privacy Shield (re-visit Articles 44-49 GDPR)
- Be careful not to jump straight to Article 49 (Explicit Consent) as your silver bullet. It is only for occasional, non-repetitive transfers of personal data and you’ll need to fully disclose the risks about surveillance to the data subject beforehand for the consent to count
- Look out for further guidance from the ICO and the EDPB
The CJEU ruling offers more questions than answers. Yes, the Privacy Shield is now not adequate. But if the root cause is the primacy of US surveillance and intelligence gather powers, how can SCCs and BCRs be upheld? What really are the options available to us? And how can we, the business community, be expected to solve a legal-political issue that our governments have not?
Written by Twiggy Harding and Abigail Dubiniecki
Co-Founder and Privacy Specialist at My Inhouse Lawyer
One of our values (Growth) is, in many ways, all about cultivating a growth mindset. We are passionate about learning, improving and evolving. We learn from each other, use the best know-how tools in the market and constantly look for ways to simplify. Lawskool is our way of sharing with you. It isn’t intended to be legal advice, rather to enlighten you to make smart business decisions day to day with the benefit of some of our insight. We hope you enjoy the experience. There are some really good ideas and tips coming from some of the best inhouse lawyers. Easy to read and practical. If there’s something you’d like us to write about or some feedback you wish to share, feel free to drop us a note. Equally, if it’s legal advice you’re after, then just give us a call on 0207 939 3959.
How it works
It starts with a conversation about you. What you want and the experience you’re looking for
We design something that works for you whether it’s monthly, flex, solo, multi-team or includes legal tech
We use Workplans to map out the work to be done and when. We are responsive and transparent
Freedom to choose & change
A responsive inhouse experience delivered via a rolling monthly engagement that can be scaled up or down by you. Monthly Workplans capture scope, timings and budget for transparency and control
A more reactive yet still responsive inhouse experience for legal and compliance needs as they arise. Our Workplans capture scope, timings and budget putting you in control
For those one-off projects such as M&A or compliance yet delivered the My Inhouse Lawyer way. We agree scope, timings and budget before each piece of work begins