< Back to latest news & events


Privacy Shield ruling introduces new challenges to personal data transfers to the US (and elsewhere)

August 2020

EU and UK data protection legislation contains long standing restrictions around transferring personal data to third countries outside of the European Economic Area (EEA) where the country in which the recipient is located has, in the eyes of the European Commission, inadequate protections for that personal data.

This list of countries with an ‘adequacy decision’ currently stand as Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay, with partial findings for Japan and Canada.

Distinct processes have been put in place to allow transfers to the USA. These started with the first ‘Safe Harbour’, which was struck down by the Court of Justice of the European Union (CJEU) in Schrems I in October 2015 arising from a referral from the High Court of Ireland following a complaint from a privacy activist in relation to Facebook’s use of personal data. After some brief excitement/panic in the data protection community, July 2016 saw a replacement process, ‘Privacy Shield’, being put in place. Four years later in July 2020, following another referral from the Irish High Court from the same privacy activist, the CJEU struck down Privacy Shield in Schrems II, again striking down a distinct process allowing data transfer in to the USA and leaving transfers made using this process in limbo.

Following the Schrems II ruling, which will be following up a judgment by the Irish court, the UK Information Commissioner’s Office view is that Privacy Shield is no longer a valid way to transfer personal data outside of the EEA, and that Privacy Shield should not be used to give legitimacy to personal data transfers to the USA (particularly new transfers).

While ‘Privacy Shield’ was struck down by the July 2020 ruling, there was also a concern that the ‘Standard Contractual Clauses’ (SCC) which, if used, also allow transfer to non-EEA countries without an adequacy decision (including the USA), would also come under the scrutiny on the CJEU. While the court did give consideration to SCC, these were not struck down, with the court’s view being that the use of SCCs do not in themselves automatically give a transfer legitimacy and the need for supplementary measures will need to be considered on a case-by-case basis.

While the judgement says SCC are still a valid mechanism, it does add a condition upon the exporting data controller to ascertain, to its own satisfaction, that the laws governing the importing recipient are not going to undermine the protections otherwise guaranteed by SCC (essentially equivalent). Whether requiring controllers to assess the laws of every country in which recipients may be based to enable these kinds of assessments on a case by case basis is workable (or fair particularly to smaller exporters) is to be seen. This introduces the prospect of a need for Transfer Impact Assessments being added to the (seemingly) growing list of documentation to satisfy record keeping and accountability obligations.

The ICO’s view is that for now, those exporting personal data should take stock of the international transfers they make and react promptly as guidance and advice becomes available. European Data Protection Board and the ICO have both have committed to produce further guidance so this will be an ongoing topic for the foreseeable.

On the subject of ongoing topics, issues around international transfer of personal data have a Brexit angle. Following the transition period, the UK will become a third country for the purpose of  transfer of personal data out of the EEA. Without an adequacy decision from the Commission, or the negotiation and approval of some form of special arrangements, the UK  will be in the same position as all other third countries without an adequacy decision. Without something in place this puts a risk on the transferor for all transfers of personal data from the EEA in to the UK post transition period whether internal within an organisation or to an external entity. While SCC’s can still be used to manage this risk, more in-depth considerations, as discussed above, will be required to ensure their use is valid. Given this, being aware of your organisation’s data transfers from the EEA in to the UK should be given priority and preparations made to ensure a smooth transfer to post Brexit incoming transfers of personal data.

This article was prepared by HGF Senior IP Solicitor James Talbot. If you would like further advice on this or any other matter, please contact James. Alternatively, you can contact your usual HGF representative or visit our Contact page to get in touch with your nearest HGF office.

Latest updates

More Exam Success at HGF!

HGF is delighted to announce the success of our colleagues in their recent CITMA trade mark paralegal exams and to congratulate them on this fantastic achievement. Lucy Johnson Chair comments, …

Read article

Electrification: IP opportunities and risks for aerospace

As patent attorneys, the recent rate of innovation and cross-sector interest in battery and allied technologies has been clearly noticeable. There has been a significant uptick in new patent filing …

Read article

HGF Ranked Gold Across All Categories in the Financial Times Special Report

HGF is proud to have been ranked ‘Gold’ across all bands in the Financial Times Special Report – Europe’s Leading Patent Firms’ published on the 13th of June 2024. This …

Read article

IP Ingredients, Part 15: How and when to use trade secrets to protect your food or drink innovations

Some of the food and drink industry’s most successful products are protected as trade secrets: the recipes for Coca Cola, Heinz ketchup and Krispy Kreme donuts to name just a …

Read article
Event - 11th June 2024

HGF are proud sponsors of the Quantum Investors Network: LtW Summit.

The Quantum Investors Network: LtW Summit will be held in London on 11th June 2024, where Matt Cassie will be speaking on the panel ‘Talent, IP, Standards: moats – past …

Event details

IAM Patent 1000 2024

The IAM Patent 1000 World Leading Patent Professionals 2024 has been published and we have received another fantastic result with 31 of our attorneys being recognised as world-class individuals. As …

Read article