Legal Update: EU-US Privacy Shield Invalidated

There has been a recent change to data protection law that we believe you should be made aware of as it may have a consequence on your business. This follows on from our previous article on the decision, full information is available here.

Outlined below is the scope and nature of the change, and some interim measures you may wish to consider implementing.

EU-US Privacy Shield invalidated

A landmark ruling by the Court of Justice of the European Union (CJEU) has ruled that the EU-US Privacy Shield (Privacy Shield) is invalid on the basis that it fails to adequately protect EU citizens’ data.

The ICO (UK privacy regulator), released an initial statement in relation to the ruling confirming that businesses currently using the Privacy Shield should continue to do so until new guidance becomes available, however, they should not start to use Privacy Shield during this period. The ICO published an updated statement on 27 July advising businesses to review their international data transfers and react promptly as new guidance and advice becomes available.

If you previously relied upon the Privacy Shield to transfer data to the US, then you will need to consider your options and alternative mechanisms to permit the transfer of such data. If you do not currently use the Privacy Shield and wish to transfer data to the US then you must not begin to rely on the Privacy Shield and must use alternative methods for the transfer.

As part of the same ruling, the CJEU confirmed that the use of Standard Contractual Clauses (SCCs) (standard sets of contractual terms to ensure compliance with the requirements of the GDPR) remains a valid mechanism to transfer personal data between the EU and the US – on the proviso that you conduct an assessment of the full circumstances of the transfer to ensure the SCCs offer sufficient protection to the personal data. If you rely upon the use of SCCs within your contracts to permit the transfer of personal data between the EU and the US then you can continue to do so, however you are now required to conduct a risk assessment before the transfer is permissible. The duty to conduct an active risk assessment before transferring data also applies in the event that you rely on Binding Corporate Rules (BCRs) (strict agreed rules of conduct between entities to ensure compliance with the GDPR).

Interim measures to consider at this stage:

• analyse your current data flows and identify any transfers of personal data outside of the EU to the US;
• consider what alternative means of transfer can be implemented by your business;
• reconsider your existing agreements and whether SCCs should be introduced into such agreements or whether BCRs can be implemented;
• identify your current transfers of personal data to third countries outside of the EU that rely upon SCCs as a transfer mechanism and assess whether the SCCs offer adequate protection to the personal data;
• conduct a regular risk assessment to consider the risks presented by the transfer of personal data itself, the wider context of the industry or sector you operate within, and the protection afforded within the country the data is to be sent to;
• contact your US counterparts to discuss the ruling with them and enquire about steps being taken by them in relation to the ruling;
• evaluate whether European data centres are a potential option for your business. Health warning: professional advice should be sought before moving your data centres as the US Cloud Act may have potential ramifications on your ability to comply with European data protection law. When the UK’s transition period after Brexit expires (31^st December 2020) the UK will be a third country in terms of the European Economic Area (EEA) Agreement, and any cross border data transfers concerning the personal data of EU citizens will need to comply with the GDPR and have adequate safeguards in place to permit the transfer of data to the UK as a non-EEA country;  and
• consider whether any alternative practical measures could be implemented before personal data is transferred, such as anonymisation. Further regulatory guidance is awaited on suggested practical measures which should be implemented.

We will continue to monitor regulatory guidance and any updates from the ICO and communicate their recommended course of action to you. Should you wish to discuss the contents of this update further and the potential impact this may have upon your business in the interim please do not hesitate to get in touch on 0161 941 4000 or via email.