A recent case in the Court of Justice of the European Union (CJEU) has changed the way companies can control personal data. The decision, called Schrems II, has made the EU/US Privacy Shield invalid for data transfer, and imposed obligations on companies using Standard Contractual Clauses.
Shchrem I
In 2013, Max Schrems filed a complaint against Facebook for allowing U.S. authorities to access his personal data. In 2015, the CJEU held in Schrems favour and found the mechanism by which the personal data transfer had been affected was invalid. This mechanism was the ‘Safe Harbor’ method whereby U.S. companies could self-certify adherence to relevant privacy principles and then affect the transfer of data from the EU. This case was Schrems I.
Because of this case, in 2016 the EU and US negotiated the ‘Privacy Shield’ as the new data transfer method to replace ‘Safe Harbor’. Privacy Shield had same issue where US companies self-certified their compliance with the privacy principles. This meant that US companies could again continue to access personal data from the EU without complying with EU privacy principles.
Following Schrems I, Facebook used the EU approved SCCs (Standard Contractual Clauses) as the data transfer mechanism. This is an approved data contract that two parties can use to transfer data from the European Economic Area (EEA) to other countries. In 2018 Max Schrem submitted another complaint relying on similar arguments to Schrems I, alleging that SCCs are also inadequate.
Schrems II
On July 2020 The CJEU held that SCCs remain a valid mechanism as they provide sufficient protection for EEA personal data. However, the court held that the EEA based party (data exporter) must ensure, on a case by case basis, that an adequate level of data protection is provided in the country where the data importer is based. If the EEA party does not believe this is the case, the companies must implement additional safeguards or suspend transfers.
The CJEU also held that the Privacy Shield is no longer a valid mechanism for transferring personal data, as it cannot ensure a level of protection essentially equivalent to that arising from GDPR. This invalidates their previous decision on the Privacy Shield, on which more than 5,000 US companies rely on to conduct trade in compliance with EU data protection rules.
After Schrems I, the EEA authorities allowed a grace period to implement alternative measures, however this same period does not apply to the Privacy Shield. Whilst existing commitments to the Privacy Shield remain enforceable under by US Federal Trade Commission, there is no grace period during which an organisation can keep on transferring data to the United States without assessing its legal basis for the transfer.
The European Data Protection Board (EDPB) has issued FAQs on the invalidation of the Privacy Shield and the implications for the Standard Contractual Clauses (SCCs).
What this means for those dealing with non-EEA companies:
Anyone dealing with US companies and non-EEA companies must now ensure there are significant safeguards to protect any data transfers outside of the EEA. This means that if the data exporter relies on an SCCs (which are still valid to use) to transfer data, they need to assess whether the data importer has an adequate level of protection.
Ways in which is this can be done include:
- A written due diligence process;
- Monitoring guidance from supervisory authorities such as the European Data Protection Board and the European Commission; and
- Reviewing any current SCC contracts. This should include a review on their importing country’s privacy laws, the level of access, and the rights authorities have to the personal data.
In a recent GDPR report, the European Commission also stated it is working on a comprehensive modernisation of SCCs in light of GDPR of requirements, but for now, companies previously relying on the Privacy Shield will need to look at the ways, as we outline above, to enable the transfers under GDPR.
On the expiry of the Brexit transition period on 31 December 2020, data transfers from the EEA and will need to comply with GDPR and ensure that data is only transferred to the UK where an equivalent level of protection is provided. One way is through the UK obtaining the ‘adequacy’ decision from the EU. If it is obtained before the end of the Brexit transition period, the adequacy decision would allow uninterrupted flow of personal data from the EEA to the UK.
Whilst the UK will technically be able to decide how to regulate transfers from the UK to the US after the Brexit transition period, the UK is unlikely to move away from the from the Schrems II guidance from EDPB in the short term, since this could jeopardise the UK’s application for an ‘adequacy’ decision from the European Commission.
If you enjoyed reading this post and would like to know more about our services, please contact us. We’re always happy to have a no-obligation chat, to see if we are the right law firm to help you.
Need advice?Contact us to discuss your requirements and how we can help
