Privacy Shield ruling introduces new challenges to personal data transfers to the US (and elsewhere)
EU and UK data protection legislation contains long standing restrictions around transferring personal data to third countries outside of the European Economic Area (EEA) where the country in which the recipient is located has, in the eyes of the European Commission, inadequate protections for that personal data.
This list of countries with an ‘adequacy decision’ currently stand as Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay, with partial findings for Japan and Canada.
Distinct processes have been put in place to allow transfers to the USA. These started with the first ‘Safe Harbour’, which was struck down by the Court of Justice of the European Union (CJEU) in Schrems I in October 2015 arising from a referral from the High Court of Ireland following a complaint from a privacy activist in relation to Facebook’s use of personal data. After some brief excitement/panic in the data protection community, July 2016 saw a replacement process, ‘Privacy Shield’, being put in place. Four years later in July 2020, following another referral from the Irish High Court from the same privacy activist, the CJEU struck down Privacy Shield in Schrems II, again striking down a distinct process allowing data transfer in to the USA and leaving transfers made using this process in limbo.
Following the Schrems II ruling, which will be following up a judgment by the Irish court, the UK Information Commissioner’s Office view is that Privacy Shield is no longer a valid way to transfer personal data outside of the EEA, and that Privacy Shield should not be used to give legitimacy to personal data transfers to the USA (particularly new transfers).
While ‘Privacy Shield’ was struck down by the July 2020 ruling, there was also a concern that the ‘Standard Contractual Clauses’ (SCC) which, if used, also allow transfer to non-EEA countries without an adequacy decision (including the USA), would also come under the scrutiny on the CJEU. While the court did give consideration to SCC, these were not struck down, with the court’s view being that the use of SCCs do not in themselves automatically give a transfer legitimacy and the need for supplementary measures will need to be considered on a case-by-case basis.
While the judgement says SCC are still a valid mechanism, it does add a condition upon the exporting data controller to ascertain, to its own satisfaction, that the laws governing the importing recipient are not going to undermine the protections otherwise guaranteed by SCC (essentially equivalent). Whether requiring controllers to assess the laws of every country in which recipients may be based to enable these kinds of assessments on a case by case basis is workable (or fair particularly to smaller exporters) is to be seen. This introduces the prospect of a need for Transfer Impact Assessments being added to the (seemingly) growing list of documentation to satisfy record keeping and accountability obligations.
The ICO’s view is that for now, those exporting personal data should take stock of the international transfers they make and react promptly as guidance and advice becomes available. European Data Protection Board and the ICO have both have committed to produce further guidance so this will be an ongoing topic for the foreseeable.
On the subject of ongoing topics, issues around international transfer of personal data have a Brexit angle. Following the transition period, the UK will become a third country for the purpose of transfer of personal data out of the EEA. Without an adequacy decision from the Commission, or the negotiation and approval of some form of special arrangements, the UK will be in the same position as all other third countries without an adequacy decision. Without something in place this puts a risk on the transferor for all transfers of personal data from the EEA in to the UK post transition period whether internal within an organisation or to an external entity. While SCC’s can still be used to manage this risk, more in-depth considerations, as discussed above, will be required to ensure their use is valid. Given this, being aware of your organisation’s data transfers from the EEA in to the UK should be given priority and preparations made to ensure a smooth transfer to post Brexit incoming transfers of personal data.
This article was prepared by HGF Senior IP Solicitor James Talbot. If you would like further advice on this or any other matter, please contact James. Alternatively, you can contact your usual HGF representative or visit our Contact page to get in touch with your nearest HGF office.