On 16 July 2020, the European Court of Justice (ECJ) examined and ruled on the EU-US Privacy Shield (Privacy Shield), and declared it invalid. The Privacy Shield was the mechanism that facilitated the compliant transfer of personal data from the European Union to the United States. The decision means that businesses relying on the Privacy Shield to transfer personal data to the US will now have to identify an alternative mechanism. It is currently unclear whether businesses will be allowed a grace period to consider their options, as was the case when the Privacy Shield’s predecessor (the EU-US Safe Harbour agreement) was declared invalid.
Why has the Privacy Shield been declared invalid?
Under the General Data Protection Regulation (EU) 2016/679 (GDPR), organisations must transfer personal data outside of the EU only in the following circumstances:
- on the basis of a European Commission adequacy decision, such as the EU-US Privacy Shield adequacy decision;
- where there are appropriate safeguards in place, such as controller to processor standard contractual clauses (SCCs) or binding coroporate rules (BCRs); or
- where a derogation applies for specific situations, such as the data subject giving their expicit consent or the performance of a contract.
According to a report by the UCL European Institute, over 5,300 organisations rely on the Privacy Shield to transfer the personal data of EU data subjects to the US. However, critics have long argued that the Privacy Shield does not provide adequate protection in line with EU data protection standards. In its decision the ECJ confirmed these concerns noting that, under the Privacy Shield, the requirements of US national security, public interest and law enforcement take precedence. As this effectively condones intereference with the fundamenal rights of EU data subjects, the ECJ has declared the Privacy Shield invalid.
What does this mean for businesses using the Privacy Shield?
Now that the Privacy Shield has been declared invalid, businesses will have to choose an alternative mechanism to transfer personal data to the US. The most practical alternative for most businesses is probably the adoption of SCCs.
In its decision, the ECJ confirmed that SCCs remain a valid alternative, but made it clear that this validity depends on:
- having effective mechanisms in place to ensure compliance with the level of protection required by EU law; and
- ensuring transfers of personal data pursuant to SCCs can be suspended or prohibited if there is a breach of the SCCs, or if the laws of the country to where the personal data is being transferred make it impossible to comply with them.
Therefore, in addition to honouring their contractual obligation to comply with SCCs, controllers and processors relying on SCCs must do the following:
- both parties must verify, before any transfer takes place, whether the third country’s legal system meets the level of protection required by EU law; and
- the data importer must inform the data exporter of any inability to comply with the SCCs, and the data exporter must then suspend the data transfer or terminate the contract with the data
When do businesses have to take action?
The UK Information Commissioner’s Office (ICO) is currently considering the ECJ’s ruling, and has advised businesses that are currently using the Privacy Shield to continue to do so until new guidance becomes available. Further discussions between the EU and US regarding a grace period are envisaged, but businesses that are affected (including those who transfer personal data directly to US counterparties, such as US suppliers and US group companies, as well as those who use platforms or service providers that transfer personal data to the US) will want to consider alternative mechanisms sooner rather than later, to reinforce the security of personal data being transferred and to minimise business disruption.