< Back to latest news & events

News

Privacy Shield ruling introduces new challenges to personal data transfers to the US (and elsewhere)

August 2020

EU and UK data protection legislation contains long standing restrictions around transferring personal data to third countries outside of the European Economic Area (EEA) where the country in which the recipient is located has, in the eyes of the European Commission, inadequate protections for that personal data.

This list of countries with an ‘adequacy decision’ currently stand as Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay, with partial findings for Japan and Canada.

Distinct processes have been put in place to allow transfers to the USA. These started with the first ‘Safe Harbour’, which was struck down by the Court of Justice of the European Union (CJEU) in Schrems I in October 2015 arising from a referral from the High Court of Ireland following a complaint from a privacy activist in relation to Facebook’s use of personal data. After some brief excitement/panic in the data protection community, July 2016 saw a replacement process, ‘Privacy Shield’, being put in place. Four years later in July 2020, following another referral from the Irish High Court from the same privacy activist, the CJEU struck down Privacy Shield in Schrems II, again striking down a distinct process allowing data transfer in to the USA and leaving transfers made using this process in limbo.

Following the Schrems II ruling, which will be following up a judgment by the Irish court, the UK Information Commissioner’s Office view is that Privacy Shield is no longer a valid way to transfer personal data outside of the EEA, and that Privacy Shield should not be used to give legitimacy to personal data transfers to the USA (particularly new transfers).

While ‘Privacy Shield’ was struck down by the July 2020 ruling, there was also a concern that the ‘Standard Contractual Clauses’ (SCC) which, if used, also allow transfer to non-EEA countries without an adequacy decision (including the USA), would also come under the scrutiny on the CJEU. While the court did give consideration to SCC, these were not struck down, with the court’s view being that the use of SCCs do not in themselves automatically give a transfer legitimacy and the need for supplementary measures will need to be considered on a case-by-case basis.

While the judgement says SCC are still a valid mechanism, it does add a condition upon the exporting data controller to ascertain, to its own satisfaction, that the laws governing the importing recipient are not going to undermine the protections otherwise guaranteed by SCC (essentially equivalent). Whether requiring controllers to assess the laws of every country in which recipients may be based to enable these kinds of assessments on a case by case basis is workable (or fair particularly to smaller exporters) is to be seen. This introduces the prospect of a need for Transfer Impact Assessments being added to the (seemingly) growing list of documentation to satisfy record keeping and accountability obligations.

The ICO’s view is that for now, those exporting personal data should take stock of the international transfers they make and react promptly as guidance and advice becomes available. European Data Protection Board and the ICO have both have committed to produce further guidance so this will be an ongoing topic for the foreseeable.

On the subject of ongoing topics, issues around international transfer of personal data have a Brexit angle. Following the transition period, the UK will become a third country for the purpose of  transfer of personal data out of the EEA. Without an adequacy decision from the Commission, or the negotiation and approval of some form of special arrangements, the UK  will be in the same position as all other third countries without an adequacy decision. Without something in place this puts a risk on the transferor for all transfers of personal data from the EEA in to the UK post transition period whether internal within an organisation or to an external entity. While SCC’s can still be used to manage this risk, more in-depth considerations, as discussed above, will be required to ensure their use is valid. Given this, being aware of your organisation’s data transfers from the EEA in to the UK should be given priority and preparations made to ensure a smooth transfer to post Brexit incoming transfers of personal data.

This article was prepared by HGF Senior IP Solicitor James Talbot. If you would like further advice on this or any other matter, please contact James. Alternatively, you can contact your usual HGF representative or visit our Contact page to get in touch with your nearest HGF office.

Latest updates

Understanding IP Risks in the Age of AI

Generative Artificial Intelligence (AI) has become a transformative force in many industries, offering unprecedented opportunities for innovation and efficiency. However, along with those opportunities also comes risk. This article explores …

Read article

More Exam Success at HGF!

HGF is delighted to announce success for many of our colleagues in the recent exams and to congratulate them on this fantastic achievement. Martyn Fish CEO comments, “These exams are …

Read article

IP Ingredients Blog, Parts 1-9

Welcome to our new blog series, IP Ingredients, created by our Food & Drink Team. This blog will explore the latest IP news, updates, and discussions in the food & …

Read article

Protecting Progress: Intellectual Property Considerations for Sustainable Aerospace Innovations

The aerospace industry has long been associated with cutting-edge technology and innovation. With the ambitious target of achieving net-zero carbon emissions by 2050, the development of innovative technologies that reduce …

Read article

9th Annual Translational Microbiome Conference

Partner and Patent Attorney Craig Thomson will be speaking at the upcoming 9th Annual Translational Microbiome Conference in Boston, US on the 25th March 2024. This event will continue to …

Read article

Diagnosis and chill? The rise of AI health tech subscription services

By automating tedious and time-consuming tasks, and having the capability to identify trends and connections in vast amounts of patient data, AI has the potential for good, to speed up diagnosis, improve …

Read article