The rules around transferring personal data from the European Union to the United States have been amended. In this blog we look at the recent decision by the Court of Justice of the European Union on 16 July 2020 which confirmed that the EU-US Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States.
The General Data Protection Regulation (GDPR) governs the processing of personal data within the EU. The UK enshrined the GDPR in UK law in the Data Protection Act 2018.
The GDPR sets out a series of standards that organisations must follow when processing personal data. They apply to personal data passed within countries within the EU.
Under the GDPR, the transfer of personal data from an EU to a non-EU country is unlawful unless:
The nature of “appropriate safeguards”, the second of the three options listed above, depends on who is transferring the data and why.
Group companies based around the globe will often rely on binding corporate rules to enable their business to transfer data internally without inadvertently breaching the GDPR requirements.
Where the two organisations sharing personal data are not connected, they can both adopt Standard Contractual Clauses (SCC’s) to show their compliance. These SCC’s are standard clauses approved by the EU which replicate the EU privacy standards. When relying on these clauses to send personal data outside the EU, the organisation transferring the data is also expected to carry out due diligence to satisfy themselves that the data would be treated properly in both the organisation and the country it is transferred to.
For organisations transferring personal data to the US, the EU-US Privacy Shield Programme became the easiest and simplest way to show that the receiving organisation complied with the GDPR and met the threshold of “appropriate safeguards”.
This recent case has shone a spotlight on this whole area of GDPR compliance.
The EU-US Privacy Shield was put together by the US department of Commerce and the European Commission. It was a way for organisations in the US to show they met privacy standards which were equivalent to those in the GDPR and therefore confirm there were appropriate safeguards in place to enable data to be shared from the EU.
It came into force before the GDPR, and replaced its predecessor, the Safe Harbour Agreement, which had been held to be invalid in a court case in 2015 – interestingly brought by the very same person who brought the case that has just been heard.
To receive certification under the EU-US Privacy Shield an organisation has to show they meet a set of privacy compliance standards with their internal practices and procedures. They can then self-certify to the US Department of Commerce who will confirm that they meet the requirements. The US Department of Commerce is also supposed to enforce the standards.
The aim of the EU-US Privacy Shield was to enable organisations to pass data between the EU and the US whilst still meeting the strict requirements in the GDPR to protect the integrity of the personal data held by organisations. It currently has approximately 5,000 subscribed companies.
The European Commission deemed the system “adequate” on the 12 July 2016 in what is known as the adequacy determination. A similar arrangement was reached between the Swiss Government and the US in 2017.
The EU has always been clear – if data travels overseas then the EU standards of data protection must travel with it.
The EU-US Privacy Shield gave organisations transferring personal data to the US a clear way to make sure they could protect that personal data and show that these requirements had been met. By registering with the system and meeting the requirements set out by the US Department of Commerce they could show they met the EU’s strict requirements and proceed with their business as usual. It has not only benefited group companies situated across the world but it also permeates supply chains around the globe and organisations who do business across the Atlantic.
The Schrems II case dealt with a complaint by a privacy activist, Maximillian Schrems, against Facebook Ireland regarding the transfer of his personal data from Ireland to the US. The case was actually focused on the validity of the SCC’s in place but having held that the SCC’s were valid, as an aside the European Court went further and scrutinised the EU-US Privacy Shield.
It looked in detail at the US laws which authorise public authorities to access personal data transferred from the EU to the US and found that these laws weren’t compatible with the EU privacy laws, i.e. the GDPR. It also found that the Privacy Shield standards weren’t actually “equivalent” to those in the GDPR at all. It criticised the fact that an effective independent ombudsman had not been established in the US. It found that there was no effective administrative or judicial redress for EU individuals if their personal data was not correctly handled within the US territory. The final nail in the coffin for the EU-US Privacy Shield was that within the US legal and judicial system, the interests of national security, public interest and law enforcement take priority over fundamental privacy rights which means privacy rights can be overridden. The European Court were very concerned about the effect this had on the security of personal data within the US.
Taking all these factors into account, it reversed the adequacy decision and held the EU-US Privacy Shield to be invalid.
Organisations can no longer rely on their subscription to the EU-US Privacy Shield programme to demonstrate they meet the requirements of the GDPR when sending personal data to the US.
The case also went further and the Court made clear that even when relying on SCC’s, organisations must now pay much more attention to whether or not the country the personal data is being sent to is a safe place for that personal data. The European Court reiterated the responsibility of the organisation transferring the data out of the EU to carry out sufficient due diligence. This will need to be done for both the country that the data is being sent to as well as the receiving organisation to make sure that the terms of any agreed SCC’s can actually be met and the data that is being transferred is safe. For example, organisations now need to consider the rights of public authorities to access data and the availability of judicial redress for individuals in the country before transferring that data. If the transferring organisation cannot be satisfied that this is the case it will need to seriously consider whether it is appropriate to continue to send data to that country or organisation or whether additional safeguards are needed first.
Not entirely. There have been increasing concerns over the adequacy of Privacy Shield since 2016 and those erring on the side of caution have always preferred to use SCC’s instead to protect the transfer of data between the EU and the US.
As mentioned above, the predecessor to the EU-US Privacy Shield, the Safe Harbour Agreement, was brought down by the very same privacy activist in a case several years before. Whilst the new Privacy Shield arrangements addressed the specific concerns with the Safe Harbour Agreement and arguably went further than its predecessor, there have always been concerns that it did not go far enough and the general practices in the US did not fully align with the aims and objectives of the EU when it comes to protecting personal data.
The EU-US Privacy Shield system still exists and organisations signed up to it must still comply to keep their certification. However, it will no longer meet the requirements under the GDPR for organisations in the EU sending data to the US. Organisations in the UK who send personal data to the US need to review these arrangements as a matter of urgency.
The ICO has issued updated guidance and is continuing to review its position and the options available. The consensus seems to be that where a country is not exempt under the GDPR, SCC’s are the way forward for sending personal data outside the EU subject to the new enhanced due diligence set out by the European Court.
Organisations affected should review their data protection practices and consider the best option for now meeting the requirements, update any internal policies and privacy notices and keep alert to any updates in the guidance from the ICO. It is also possible the US Department of Commerce may make further statements as the outcome is digested too.
If your organisation is affected by this decision and you would like to discuss your options further, please contact Charlotte Farrell or Tabytha Cunningham for further assistance and they would be happy to help.