On 16 July 2020, the European Court of Justice (ECJ) examined and ruled on the EU-US Privacy Shield (Privacy Shield), and declared it invalid. The Privacy Shield was the mechanism that facilitated the compliant transfer of personal data from the European Union to the United States. The decision means that businesses relying on the Privacy Shield to transfer personal data to the US will now have to identify an alternative mechanism. It is currently unclear whether businesses will be allowed a grace period to consider their options, as was the case when the Privacy Shield’s predecessor (the EU-US Safe Harbour agreement) was declared invalid.
Why has the Privacy Shield been declared invalid?
Under the General Data Protection Regulation (EU) 2016/679 (GDPR), organisations must transfer personal data outside of the EU only in the following circumstances:
According to a report by the UCL European Institute, over 5,300 organisations rely on the Privacy Shield to transfer the personal data of EU data subjects to the US. However, critics have long argued that the Privacy Shield does not provide adequate protection in line with EU data protection standards. In its decision the ECJ confirmed these concerns noting that, under the Privacy Shield, the requirements of US national security, public interest and law enforcement take precedence. As this effectively condones intereference with the fundamenal rights of EU data subjects, the ECJ has declared the Privacy Shield invalid.
What does this mean for businesses using the Privacy Shield?
Now that the Privacy Shield has been declared invalid, businesses will have to choose an alternative mechanism to transfer personal data to the US. The most practical alternative for most businesses is probably the adoption of SCCs.
In its decision, the ECJ confirmed that SCCs remain a valid alternative, but made it clear that this validity depends on:
Therefore, in addition to honouring their contractual obligation to comply with SCCs, controllers and processors relying on SCCs must do the following:
When do businesses have to take action?
The UK Information Commissioner’s Office (ICO) is currently considering the ECJ’s ruling, and has advised businesses that are currently using the Privacy Shield to continue to do so until new guidance becomes available. Further discussions between the EU and US regarding a grace period are envisaged, but businesses that are affected (including those who transfer personal data directly to US counterparties, such as US suppliers and US group companies, as well as those who use platforms or service providers that transfer personal data to the US) will want to consider alternative mechanisms sooner rather than later, to reinforce the security of personal data being transferred and to minimise business disruption.