The end of the Privacy Shield. What do you need to do?
The Privacy Shield — that protects data transfer between the EU and the U.S. — is no longer valid because the EU deems the U.S. domestic laws (specifically national security laws) aren’t stringent enough to protect data. Standards Contractual Clauses (SCCs) are still allowed, but using them as your Plan B may not be as simple as it seems.
Here, our Senior Associate, Jennifer Foxwell, explains the changes, how they will impact you and what you should do next.
Why is the privacy shield no longer valid?
Under EU laws, personal data can only be transferred to a country outside the European Economic Area (EEA) if that country provides an adequate level of data protection.
The EU-U.S. Privacy Shield imposed a framework under which personal data could transfer from the EEA to the U.S. It ensured that U.S. and European companies could comply with data protection requirements when transferring personal data from the EU (and Switzerland) to the United States.
U.S. companies were obliged to self-certify to the Department of Commerce and publicly commit that they were complying with the Privacy Shield’s requirements which imposed stringent obligations on such companies with regards to their handling of EU personal data.
The Court of Justice of the European Union (CJEU) decision to declare the Privacy Shield as invalid was primarily based on the fact that U.S. domestic laws, specifically national security laws were insufficient to protect EU personal data and there was the lack of adequate redress for individuals in Europe and the United Kingdom whose personal data is transferred to the U.S.
As CJEU decisions still apply to the UK during the Brexit transition period this will mean that UK to US transfers of personal data made under the Privacy Shield will no longer be valid. This will, of course, cause much uncertainty for UK companies who relied on the privacy shield to transfer their data to the U.S. Such companies must now look to other methods to ensure they are able to continue the transfer of data to the U.S.
Can I use Standards Contractual Clauses (SSCs) instead?
As part of the same ruling, the CJEU also decided that another data transfer mechanism, Standards Contractual Clauses, or SSCs, remain valid. The SCCs are non-negotiable contractual clauses that the European Commission has decided still offer sufficient safeguards on data protection for the data being transferred internationally. Binding corporate rules also remain unaffected but these are costly and require a lengthy process implement. Most companies will most likely therefore turn to SCC’s.
However, replacing the privacy shield with the signatory of SCC’s is not necessarily the quick fix to this. Simply putting the SCCs in place will be insufficient to meet the safeguarding requirements, as the CJEU’s decision has highlighted that parties that transfer personal data using SCCs must verify the level of protection in the third country before making any transfer. This puts the burden on establishing that the transfers are lawful on the data exporter. Data exporters will need to review of all of the circumstances of the data transfer to assess if the SCCs adequately protect personal data and refer areas of concern to their supervisory authorities. So far, such assessments are not subject to any guidance from data protection regulator as to what level of scrutiny they expect from businesses relying on SCC’s.
Next steps if you currently rely on the privacy shield
The decision of the CJEU does not mean immediate cessation on data transfers to the U.S. relying on the privacy shield. However, companies using this method will need to act quickly to implement alternative means to transfer data which, in most cases, will mean putting in place SCC’s.
Consequently, all contracts under which personal data is transferred will need to be reviewed if they rely on the privacy shield or SCC’s. This is not just pertinent to contracts involving personal data transfers to the U.S, as given the additional considerations required around the future use of SCCs this will affect all data transfers to any third country where adequacy is not provided where an organisation uses the SCCs as their data transfer safeguard.
Any reliance on the SCCs, must entail a company reviewing each data transfer on a case-by-case basis and documenting the assessment on whether the third country have the required protections in place in respect of meeting the standards that the EU expects.
What might this mean for the future
With the US adequacy decision being thrown out this does cast a shadow over whether the UK will be able to secure post-Brexit data adequacy decision. This makes it even more important for UK companies to ensure that the have in place SCC’s in any future contracts they make with the EU.