The Court of Justice of the European Union (CJEU) has hit the final nail in the coffin of the beleaguered EU-US Privacy Shield. Walker Morris data protection and privacy experts explain the judgment and what this means for transfers to the USA, as well as the potential implications for post-Brexit Britain.

What's happened?

The GDPR requires that transfers of personal data to so-called third countries (that is, countries not in the European Economic Area (EEA)) can only occur where the receiving organisation is subject to comparable data protection obligations to the GDPR.

The Privacy Shield framework is a set of voluntary obligations and principles relating to the protection of personal data, overseen by the US Department of Commerce, that US organisations could elect to be bound by. Organisations that underwent Privacy Shield certification were bound by its requirements and were deemed to provide an adequate level of protection for personal data.

Accordingly, EEA organisations could freely transfer personal data to organisations in the USA that were 'Privacy Shield certified' and such certifications formed the basis for significant volumes of personal data transfers.

In 2016, the European Commission deemed the Privacy Shield framework met the standards required under EU law, although that did not prevent Privacy Shield being the subject of much discussion by privacy law commentators and activists, in a similar way to its predecessor, the Safe Harbor Principles. Complaints generally related to the wide powers afforded to public authorities in the USA to obtain access to personal data held by private organisations – particularly in terms of government surveillance – which contrasts with fundamental principles of EU data protection law. Critics argued that the Privacy Shield failed to take sufficient steps to prevent this occurring to data transferred to organisations in the USA.

On 16 July 2020, when considering a complaint brought against Facebook Ireland by Austrian national Maximillian Schrems about this issue, the CJEU decided that the Privacy Shield did not afford adequate protection for personal data transferred to organisations that had self-certified. Following the judgment – known as Schrems II – personal data can no longer be compliantly transferred from within the EEA to organisations in the USA on the basis of Privacy Shield certifications.

Can we still transfer personal data to the USA?

While Privacy Shield has been invalidated in accordance with the Schrems II decision, other "appropriate safeguards" remain in place to allow personal data to be transferred to the USA.

One of the key appropriate safeguards is the standard data protection clauses adopted by the European Commission, which are often referred to as the Model Clauses, or Standard Contractual Clauses (SCCs). The SCCs take the form of a prescribed contractual agreement that can be entered into between the two parties involved in a transfer of data where the exporting data controller is in the EEA and the data importer (which can be a controller or a processor) is outside the EEA.

As part of the complaint brought by Mr Schrems, the CJEU considered the validity of the SCCs as a means of transferring data to the USA. The Court concluded "that the validity of [the SCCs] is not called into question by the mere fact that [they] do not, given that they are contractual in nature, bind the authorities of the third country to which data may be transferred."

The CJEU did not therefore invalidate use of the SCCs, although it did assert that the context in which SCCs are used must be considered by the data exporter. Supervisory authorities (such as the Information Commissioner's Office (ICO) in the UK) have the power to prohibit data transfers on the basis of SCCs in cases where such transfers are likely to have adverse effects on the protections afforded to relevant data subjects.

While the CJEU only considered controller-to-processor SCCs in Schrems II, the decision is considered to be equally valid for controller-to-controller SCCs.

What should we do now?

The ICO is reviewing its guidance following the Schrems II judgment. Until it publishes updated guidance, the ICO advises that organisations currently using Privacy Shield as the basis for personal data transfer from the EEA to the USA should continue to do so. However, organisations not currently using Privacy Shield should not start to do so.

EEA organisations that transfer data to the USA should review data sharing arrangements and identify where these are based on Privacy Shield certifications.

Once these have been identified, the agreements should be reviewed. Some agreements may include provisions that govern what should happen should the Privacy Shield framework be removed. Where the agreement is silent on this topic, the following options could be considered:

  • Consider whether the transfer needs to take place. The recent decision could act as a prompt to review processing activities. Under the GDPR principles of purpose limitation, data minimisation and storage limitation, consider whether the transfers are necessary for the organisation or whether the relevant processing activities should cease.
  • Process the personal data exclusively in the EEA. For organisations with multiple servers, technological reorganisations could enable all data subject to the GDPR to be stored on servers within the EEA. Where multiple processors are engaged, agreements can amended (or entered into) to ensure that only processors with operations based in the EEA are used to process personal data that is subject to the GDPR.
  • Anonymise personal before it is transferred. This will not be appropriate in circumstances where identification of the relevant data subjects is key to the reason for processing. But where data can be anonymised before it is transferred, it will no longer be subject to the GDPR (although be careful when anonymising data to ensure it is truly anonymised and not simply pseudo-anonymised or 'pseudonymised').
  • Incorporate SCCs into the transfer agreement. Where the continued transfer is necessary for business purposes, SCCs could be entered into between the relevant parties or the existing agreement could be amended to incorporate these clauses. The use of SCCs in relation to transfers to the USA is still valid, although it has been called into question by the CJEU judgment and deferred to supervisory authorities to police. Analysis of the risk associated with such transfers should therefore be carefully considered and SCCs should not be seen as a catch-all approach. In any event, the European Commission has never approved SCCs for processor-to-processor transfers.
  • Adopt binding corporate rules. Binding corporate rules are a potential solution in some circumstances, although their use is limited in practice as they apply only to intra-group transfers and the application process for adopting them is lengthy. Another method – possibly SCCs – would likely be needed as an interim measure while the necessary administration was undertaken.

What does the future hold?

European Commission Vice President Vera Jourová confirmed in a statement following the judgment that the Commission will continue work to modernise the SCCs and engage with counterparties in the USA to ensure continued options for safe transatlantic data flows. However, the EU and the USA have fundamental differences when it comes to the conflict between individuals' rights to privacy and the ability of the security services to obtain and intercept personal data, and these may difficult to align.

US Secretary of Commerce Wilbur Ross also issued a statement, commenting that the Department of Commerce will study the decision to fully understand its practical impacts but that it hopes to be able to limit the negative consequences. He said the Department of Commerce will continue to administer the Privacy Shield programme notwithstanding the recent decision. US organisations that are certified with the Privacy Shield must therefore continue to operate in accordance with its principles.

Comments made in the judgment, and the EU's general aversion to surveillance, could also pose issues for the UK in relation to Brexit. As part of the Brexit negotiations, the UK is seeking an adequacy decision from the EU – a statement that UK law upholds the same standard for data protection as the EU – to allow uninterrupted data transfers between organisations in the EU and those in the UK once the UK becomes a third country.

However, the UK is also seeking to negotiate a data trade arrangement with the US. If this happens, the EU will be sure to question how personal data can be safely transferred from the EEA to the UK if it may then be freely transferred to the USA. The European Commission believing the UK may simply be used as an outpost between the EEA and the USA for data transfers could inhibit the UK's ability to obtain an adequacy decision.

The UK Government has also historically had a more relaxed approach to surveillance by public authorities than the EU, which places more emphasis on the rights of individuals. The UK's Regulation of Investigatory Powers Act 2000, Investigatory Powers Act 2016 and its membership of the Five Eyes programme will be scrutinised by the EU in any adequacy decision process, particularly in light of the Schrems II decision.

It is hoped that the European Data Protection Board will publish clear guidance on this issue in short order as companies seek to understand the wider ramifications. Walker Morris will continue to monitor the evolving situation and provide updates as they develop.

Originally published 18 July, 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.