< Zurück zu den aktuellen Neuigkeiten & Events

Neuigkeiten

Privacy Shield ruling introduces new challenges to personal data transfers to the US (and elsewhere)

August 2020

EU and UK data protection legislation contains long standing restrictions around transferring personal data to third countries outside of the European Economic Area (EEA) where the country in which the recipient is located has, in the eyes of the European Commission, inadequate protections for that personal data.

This list of countries with an ‘adequacy decision’ currently stand as Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay, with partial findings for Japan and Canada.

Distinct processes have been put in place to allow transfers to the USA. These started with the first ‘Safe Harbour’, which was struck down by the Court of Justice of the European Union (CJEU) in Schrems I in October 2015 arising from a referral from the High Court of Ireland following a complaint from a privacy activist in relation to Facebook’s use of personal data. After some brief excitement/panic in the data protection community, July 2016 saw a replacement process, ‘Privacy Shield’, being put in place. Four years later in July 2020, following another referral from the Irish High Court from the same privacy activist, the CJEU struck down Privacy Shield in Schrems II, again striking down a distinct process allowing data transfer in to the USA and leaving transfers made using this process in limbo.

Following the Schrems II ruling, which will be following up a judgment by the Irish court, the UK Information Commissioner’s Office view is that Privacy Shield is no longer a valid way to transfer personal data outside of the EEA, and that Privacy Shield should not be used to give legitimacy to personal data transfers to the USA (particularly new transfers).

While ‘Privacy Shield’ was struck down by the July 2020 ruling, there was also a concern that the ‘Standard Contractual Clauses’ (SCC) which, if used, also allow transfer to non-EEA countries without an adequacy decision (including the USA), would also come under the scrutiny on the CJEU. While the court did give consideration to SCC, these were not struck down, with the court’s view being that the use of SCCs do not in themselves automatically give a transfer legitimacy and the need for supplementary measures will need to be considered on a case-by-case basis.

While the judgement says SCC are still a valid mechanism, it does add a condition upon the exporting data controller to ascertain, to its own satisfaction, that the laws governing the importing recipient are not going to undermine the protections otherwise guaranteed by SCC (essentially equivalent). Whether requiring controllers to assess the laws of every country in which recipients may be based to enable these kinds of assessments on a case by case basis is workable (or fair particularly to smaller exporters) is to be seen. This introduces the prospect of a need for Transfer Impact Assessments being added to the (seemingly) growing list of documentation to satisfy record keeping and accountability obligations.

The ICO’s view is that for now, those exporting personal data should take stock of the international transfers they make and react promptly as guidance and advice becomes available. European Data Protection Board and the ICO have both have committed to produce further guidance so this will be an ongoing topic for the foreseeable.

On the subject of ongoing topics, issues around international transfer of personal data have a Brexit angle. Following the transition period, the UK will become a third country for the purpose of  transfer of personal data out of the EEA. Without an adequacy decision from the Commission, or the negotiation and approval of some form of special arrangements, the UK  will be in the same position as all other third countries without an adequacy decision. Without something in place this puts a risk on the transferor for all transfers of personal data from the EEA in to the UK post transition period whether internal within an organisation or to an external entity. While SCC’s can still be used to manage this risk, more in-depth considerations, as discussed above, will be required to ensure their use is valid. Given this, being aware of your organisation’s data transfers from the EEA in to the UK should be given priority and preparations made to ensure a smooth transfer to post Brexit incoming transfers of personal data.

This article was prepared by HGF Senior IP Solicitor James Talbot. If you would like further advice on this or any other matter, please contact James. Alternatively, you can contact your usual HGF representative or visit our Contact page to get in touch with your nearest HGF office.

Aktuelle Neuigkeiten

Die Marketing- und Verkaufspraktiken von eControl System erwecken den unlauteren Eindruck einer geschäftlichen Verbindung mit AGA

Im Juli 2023 reichte die renommierte britische Marke AGA Rangemaster Group Limited („AGA“) eine Klage wegen Markenverletzung und Urheberrechtsverletzung ein, die sich gegen die[1] gebrauchten renovierten AGA-Herde von eControl System …

Weiterlesen

Innovation vorantreiben - Das IP hinter der Sporternährung

Die Bedeutung der Innovation für den sportlichen Erfolg Die Europameisterschaft ist in vollem Gange und die Olympischen Spiele stehen vor der Tür. In diesem Sommer werden Spitzensportler bis an die …

Weiterlesen

UPC erlässt zwei erstinstanzliche Entscheidungen zu Verletzungen

Letzte Woche, etwas mehr als ein Jahr nachdem es seine Arbeit aufgenommen hat, hat das UPC sein erstes wichtiges Entscheidung in einem Verfahren wegen Verletzung gefällt. Damit hat das UPC …

Weiterlesen

Prüfungserfolg und Glückwünsche

Wir sind sehr stolz auf die Nachricht, dass einige unserer Kolleginnen und Kollegen fantastische Ergebnisse in der europäischen Patentqualifikation und den britischen Foundation-Prüfungen erzielt haben! Wir möchten den folgenden Personen …

Weiterlesen

Neue Blog-Serie - Agritech Thymes: Ein kurzer Blick auf die öffentliche Vorbenutzung von Pflanzen in den USA

In den USA können Pflanzen durch Gebrauchspatente, Pflanzenpatente und/oder Sortenschutzrechte geschützt werden. Für beide Arten von Patenten gelten die gleichen Neuheitsregeln des USC §102, wonach die öffentliche Vorbenutzung als Offenbarung …

Weiterlesen

Managing IP Kanzleirankings - Patente 2024

HGF freut sich, bekannt zu geben, dass wir in der jüngsten Rangliste der Kanzlei für gewerblichen Rechtsschutz von Managing IP als Tier 1 und Tier 2 sowie als andere bemerkenswerte …

Weiterlesen