deepagopi2011 - Fotolia

Why data exports from the EU will be challenging without Privacy Shield

Organisations exporting data to the US under Privacy Shield or overseas generally, whether under standard contractual clauses or binding corporate rules, need to urgently review the legal basis of these transfers  

In a significant ruling last month, the European Union Court of Justice (CJEU) ruled that the Privacy Shield framework, which allows data transfers between the US and the UK and EU, was invalid. With the landmark case striking a significant blow to EU-US data transfer safeguards, what does this mean going forward and how can businesses continue to send data to the US?

The Privacy Shield case revolved around a legal dispute named Schrems II, launched by Max Schrems against Facebook Ireland after he raised concerns over the transfer of his personal data from the EU to the US. After close investigation, the CJEU found that the US legal system does not allow adequate protection for individuals against access to their data by US security agencies.

Up until this point, the Privacy Shield has been one of the most important mechanisms allowing international data transfers to the US. Under EU data protection law, the General Data Protection Regulation (GDPR), if the recipient country does not have adequate data protection measures in place – as is the case with the US – then organisations can only transfer data out of the EU under certain limited circumstances.

The EU/US Privacy Shield was a mechanism which allowed US companies to certify that they had the necessary internal protections in place. More than 5,500 businesses, including global giants such as Amazon and Microsoft, had signed up to Privacy Shield. These businesses, and those sending data to them, will need to find another lawful basis of export.

However, the CJEU’s decision to invalidate Privacy Shield as a legitimate means of data transfer safeguarding was somewhat a by-product of the Schrems case. In fact, his legal argument centred instead around the validity of standard contractual clauses (SCCs), a mechanism under GDPR which can be agreed between companies to allow the export of personal data outside the EU. SCCs can be used for transfers not just to the US, but to any other country outside of the European Union.

While it invalidated Privacy Shield, the CJEU found that  SCCs are still valid. In doing so though, it took great pains to remind businesses that they require the party sending data outside of the EU to halt such activity if it’s found that the data receiver cannot comply with the safeguarding provisions set out in the SCCs. Given that the CJEU stated in its reasoning for the invalidation of Privacy Shield that US laws don’t allow adequate protection for data transfers to the US, it’s difficult to see how the SCCs could work going forward.

Organisations exporting data to the US under Privacy Shield or overseas generally, whether under SCCs or BCRs, need to urgently review the basis of these transfers to ensure that they continue to be appropriate

The European Data Protection Board (EDPB) has since issued some FAQs around the use of SCCs, confirming that for to use them, the data exporter has to make an assessment to ensure that the clauses are capable of being honoured and that there are appropriate additional technical protections, such as encryption, in place to support this. If it cannot do so, then the exporter must suspend the transfer of personal data, or notify the relevant supervisory authority of the fact that transfers are continuing.

The EDPB also considers that Schrems II challenges the use of other transfer mechanisms such as binding corporate rules (BCRs). Again, for these to continue to be used, the exporter is required to evaluate whether the laws of the receiving country allow the BCRs to provide appropriate protections. If not, as with SCCs, data flows either need to cease or the supervisory authority be notified.

The UK Information Commissioner’s Office’s initial response to Schrems II was that while new transfers should not take place under Privacy Shield, organisations should not immediately need to cease transfers which previously were allowed under the Privacy Shield. With the updated guidance, and the EDPB FAQs, it is now clear that this is not the case and that organisations exporting data to the US under Privacy Shield or overseas generally, whether under SCCs or BCRs, need to urgently review the basis of these transfers to ensure that they continue to be appropriate.

When the precursor to Privacy Shield, Safe Harbour, was found invalid in 2015, the EU was quick to replace it with Privacy Shield, which allowed transfers to continue in a similar fashion. It does seem that it will be far more difficult to put in place a similar mechanism, at least in the short term. Until more guidance is received, overseas transfers have suddenly become far more challenging.

Read more about Privacy Shield

Read more on Privacy and data protection