< Back to latest news & events

News

Privacy Shield ruling introduces new challenges to personal data transfers to the US (and elsewhere)

August 2020

EU and UK data protection legislation contains long standing restrictions around transferring personal data to third countries outside of the European Economic Area (EEA) where the country in which the recipient is located has, in the eyes of the European Commission, inadequate protections for that personal data.

This list of countries with an ‘adequacy decision’ currently stand as Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay, with partial findings for Japan and Canada.

Distinct processes have been put in place to allow transfers to the USA. These started with the first ‘Safe Harbour’, which was struck down by the Court of Justice of the European Union (CJEU) in Schrems I in October 2015 arising from a referral from the High Court of Ireland following a complaint from a privacy activist in relation to Facebook’s use of personal data. After some brief excitement/panic in the data protection community, July 2016 saw a replacement process, ‘Privacy Shield’, being put in place. Four years later in July 2020, following another referral from the Irish High Court from the same privacy activist, the CJEU struck down Privacy Shield in Schrems II, again striking down a distinct process allowing data transfer in to the USA and leaving transfers made using this process in limbo.

Following the Schrems II ruling, which will be following up a judgment by the Irish court, the UK Information Commissioner’s Office view is that Privacy Shield is no longer a valid way to transfer personal data outside of the EEA, and that Privacy Shield should not be used to give legitimacy to personal data transfers to the USA (particularly new transfers).

While ‘Privacy Shield’ was struck down by the July 2020 ruling, there was also a concern that the ‘Standard Contractual Clauses’ (SCC) which, if used, also allow transfer to non-EEA countries without an adequacy decision (including the USA), would also come under the scrutiny on the CJEU. While the court did give consideration to SCC, these were not struck down, with the court’s view being that the use of SCCs do not in themselves automatically give a transfer legitimacy and the need for supplementary measures will need to be considered on a case-by-case basis.

While the judgement says SCC are still a valid mechanism, it does add a condition upon the exporting data controller to ascertain, to its own satisfaction, that the laws governing the importing recipient are not going to undermine the protections otherwise guaranteed by SCC (essentially equivalent). Whether requiring controllers to assess the laws of every country in which recipients may be based to enable these kinds of assessments on a case by case basis is workable (or fair particularly to smaller exporters) is to be seen. This introduces the prospect of a need for Transfer Impact Assessments being added to the (seemingly) growing list of documentation to satisfy record keeping and accountability obligations.

The ICO’s view is that for now, those exporting personal data should take stock of the international transfers they make and react promptly as guidance and advice becomes available. European Data Protection Board and the ICO have both have committed to produce further guidance so this will be an ongoing topic for the foreseeable.

On the subject of ongoing topics, issues around international transfer of personal data have a Brexit angle. Following the transition period, the UK will become a third country for the purpose of  transfer of personal data out of the EEA. Without an adequacy decision from the Commission, or the negotiation and approval of some form of special arrangements, the UK  will be in the same position as all other third countries without an adequacy decision. Without something in place this puts a risk on the transferor for all transfers of personal data from the EEA in to the UK post transition period whether internal within an organisation or to an external entity. While SCC’s can still be used to manage this risk, more in-depth considerations, as discussed above, will be required to ensure their use is valid. Given this, being aware of your organisation’s data transfers from the EEA in to the UK should be given priority and preparations made to ensure a smooth transfer to post Brexit incoming transfers of personal data.

This article was prepared by HGF Senior IP Solicitor James Talbot. If you would like further advice on this or any other matter, please contact James. Alternatively, you can contact your usual HGF representative or visit our Contact page to get in touch with your nearest HGF office.

Latest updates

PRESS RELEASE - HGF Appoints new Chair of the Board: Formerly Head of Engineering, Lucy Johnson

HGF announced a new Chair to its Management Board, Lucy Johnson. Lucy was previously head of the firm’s Engineering Group.  Effective immediately Lucy succeeds Jason Lumber who held the position …

Read article

Blog Series: IP Ingredients, Part 7: Data in food and beverage parent applications - Why, What & How much?

Questions I often get asked by innovators looking to file a patent application include: “What kind of experimental data do I need to include?” and “How many examples do we …

Read article

HGF ranked in The Legal 500 Germany 2024

HGF is proud to be ranked in The Legal 500 Germany 2024 guide. The Legal 500 provides the most comprehensive worldwide coverage on recommended Law firms, Lawyers, Attorneys, Advocates, Solicitors, …

Read article

EPO Annual Fee Increases

The European Patent Office (EPO) has announced that revised Official Fees will apply to payments made on or after Monday 1st April 2024. The majority of fees will increase by …

Read article

Tanya Waller Recognised as Lexology Legal Influencer for IP

We are delighted to share that our Trade Mark Director Tanya Waller has been recognised as a Lexology Legal influencer for Q4/2023! Tanya provides high-quality legal content for our website …

Read article

WTR 1000 2024

We are delighted to announce that our European trade mark team has been recognised in the gold tier world Trade Mark Review 1000 2024. The firm is also proud to …

Read article

Blog Series - IP Ingredients, Part 6: Geographical Indications: “What’s in a [place] name?”

You are likely to be familiar with Scotch Whisky, Champagne, Welsh Lamb, Stilton blue cheese and Jersey royal potatoes but did you know that the names of some of your …

Read article