In a landmark ruling on 16 July, the Court of Justice of the European Union (CJEU) has found that the EU-US Privacy Shield, a key data sharing mechanism, is invalid on the basis that it fails to protect privacy and does not comply with data protection rules. The ruling will have significant ramifications for businesses who share data with U.S businesses.

The long-awaited decision relates to the case of Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (commonly referred to as Schrems II). Maximillian Schrems, a privacy activist, brought action against Facebook in 2011 on the basis that US laws did not provide adequate protection to EU citizens’ personal data, in particular Facebook’s sharing of data with US national security.

Initial rulings in the case saw the abolition of Safe Harbour (an agreement which governed data transfers between the EU and the US) on the grounds that it failed to provide adequate safeguards for the protection of EU citizens’ data. The EU-US Privacy Shield was created in 2016 in replacement of Safe Harbour.

What is the EU - US Privacy Shield?

The EU-US Privacy Shield is a framework to provide businesses on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the EU to the US. The transfer of personal data within the EU is governed by the General Data Protection Regulation (GDPR) which sets out specific requirements for the transfer of personal data outside of the EU, such as only transferring data to countries who have sufficient data protection laws in place. It was thought that the EU-US Privacy Shield provided US and EU businesses with a mechanism to transfer data in line with the requirements of the GDPR.  

EU-US Privacy Shield Ruled Invalid by European Court

Why was the EU – US Privacy Shield held as invalid?

The CJEU found that the requirements of US national security, public interest and law enforcement have primacy over the fundamental rights of individuals whose data are transferred from the EU to the US. The CJEU also found that the Privacy Shield Ombudsperson fails to provide an adequate level of protection required by EU law.

What does this mean for businesses who transfer data between the EU and the US?

The GDPR only permits the transfer of personal data outside of the EU if appropriate safeguards are in place. The result of the Schrems II ruling is that the EU-US Privacy Shield is no longer a valid mechanism to comply with EU data protection requirements, and businesses must therefore reassess the legal basis they will rely upon for their data transfers.

As part of the ruling, the CJEU found that the use of Standard Contractual Clauses (SCCs), remains a valid mechanism to permit data transfers.  However, any such use of SCCs must offer an adequate level of protection of personal data taking into account the overall circumstances of the transfer. Whether the use of SCCs will afford an adequate level of protection must therefore be assessed on a case-by-case basis. This means that businesses relying upon SCCs must assess whether there are appropriate safeguards in place in the country outside of the EU where the data is to be transferred to.

Businesses exporting data outside of the EU will need to take into account not only the country the personal data is being transferred to but also any access by public authorities and the availability of judicial redress for individuals within such country to determine whether SCCs are a sufficient mechanism for the transfer of the data. If after conducting such a review it becomes apparent that the use of SCCs would not afford sufficient protection, then additional safeguards to protect the transfer of the data will need to be explored.

What are SCCs?

Standard Contractual Clauses are standard sets of contractual terms and conditions which senders and receivers of personal data both agree to. The terms aim to protect personal data leaving the EU by introducing contractual obligations that aim to ensure compliance with the requirements of the GDPR. 

What action must businesses now take?

Businesses must now consider the following immediate action:

  • complete an analysis of data flows and identify any transfers of personal data outside of the EU. Alternative means of transfer must be implemented for any transfers of data that previously relied upon the EU–US Privacy Shield. This may include revising existing agreements in place and introducing SCCs;
  • identify current transfers of personal data that rely upon SCCs as a transfer mechanism and assess the adequacy of the safeguard considering all of the circumstances of the transfer. In practice, this will mean businesses reviewing the risks presented by the transfer of data, the wider context of the industry or sector they operate within and the protection afforded within the destination country. Such risk assessment must be conducted before any data is transferred, and in the event that the assessment reveals that the use of SCCs would not afford adequate protection, any data export must be suspended; and
  • consider any practical measures that could be implemented before transferring any data, such as the encryption of data.

The EU Commission has confirmed that it is assessing alternative instruments for international transfers of personal data, and businesses in the interim must ensure to monitor the development of any new safeguards announced by the EU closely.

For further information on the recent developments within this area of law and the impact of Brexit on data protection legislation of the UK, click here. 

To keep up to date with any legal developments in this area sign up here.

For more information and guidance on preparing your business for the data protection changes caused as a result of the Schrems II case, please contact our specialist data protection lawyers on 0161 941 4000 or via email.