Newsflash: Data transfers to the US – you can no longer rely on the EU–US Privacy Shield!

On 16 July 2020, the Court of Justice of the European Union (CJEU) ruled that the EU Commission’s EU-US Privacy Shield Decision (2016/1250) is invalid. This means that UK and EU organisations who transfer personal data to the US can no longer rely on the fact that the recipient is self-certified for the EU-US Privacy Shield framework to demonstrate that they have met GDPR international data transfer rules.

The CJEU did, however, also rule that the EU Commission’s Decision on the use of standard contractual clauses for international data transfers to processors (Decision 2010/87) remain valid. Whilst the Court did not (for the purposes of this case) consider the Decisions on standard contractual clauses for transfers to controllers (Decision 2001/497/EC and Decision 2004/915/EC), these also remain valid. Unfortunately, the clauses are not an ideal set of terms to comply with in practice, and they are not up to date with GDPR requirements. But putting them in place may now be the only feasible option for a lot of organisations, at least whilst there is continuing uncertainty over the future of the EU-US Privacy Shield (or an equivalent scheme).

The EU-US Privacy Shield framework was introduced in 2016 to replace the former Safe Harbour scheme, which was declared invalid by the CJEU in 2015. See OBEP’s previous articles on this:

The reason that the CJEU has now declared the EU-US Privacy Shield invalid is similar to the reason that the Safe Habour scheme was declared invalid: the rights of US public authorities to access and use personal data compromise the protection of personal data, and there is insufficient judicial protection for data subjects. As stated in the CJEU press release: “the requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country”.

Following the end of the Brexit transition period, the plan was that US organisations certified with the EU-US Privacy Shield could sign up for an equivalent UK-US Privacy Shield (for transfers from the UK to the US). However, following today’s decision, it is likely that this will also not be a valid way to comply with international data transfer rules.

The CJEU press release is here: https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091en.pdf.

Update 17 July 2020: The EDPB has issued a statement on yesterday’s Schrems decision here: https://edpb.europa.eu/news/news/2020/statement-court-justice-european-union-judgment-case-c-31118-data-protection_en.

Key points on use of standard contractual clauses:

  • the clauses alone may not be enough if laws in country of transfer conflict with data protection measures; and
  • if the data importer cannot comply with the clauses, the data transfer may need to be suspended.

These matters should be assessed prior to using the clauses as an alternative to the EU-US Privacy Shield for transfers to the US. If there are concerns with using the clauses, other options will need to be considered, which may include alternatives to making a restricted transfer at all (such as anonymisation of data or using data centres in the UK/EU).

Olivia Whitcroft, principal of OBEP, 16 July 2020

This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details