The EU-US Privacy Shield is no more. In a dramatic move, the European Court of Justice ruled the agreement covering the transfer of EU citizens’ data to the US is invalid as of 16 July 2020.
What is the Privacy Shield?
The Privacy Shield is used as a mechanism for data transfer for over 5,000 companies to ensure that data subject to GDPR standards is kept secure and safe when held in the US.
Since the Privacy Shield is no longer in effect, companies will have to rely on other mechanisms such as standard contractual clauses (SCC’s) and binding corporate rules (BCR’s) to maintain transatlantic data transfers.
It is important to note that this ruling does not concern what’s known as ‘necessary’ data transfers, like sending an email to book a hotel or finalise a contract. This ruling is about the bulk outsourcing of data covered by GDPR, that is EU citizen’s data, to the US. This is often done for cost reasons or because the business is based in the US.
Long term, this ruling could mean more EU data is processed closer to home. However, in the short term, any data which is transferred using the Privacy Shield mechanism should be reassessed and a new framework put in place, at least temporarily, to reduce any interruption to the data flow.
The EU-US Privacy Shield and Facebook
The key issue with the now defunct Privacy Shield concerned the transfer of data by Facebook and their use of SCC’s to transfer EU data to the US. But given privacy campaigners’ concerns about the US government’s use of surveillance technology, it set up a clash between American data mining and EU data protection.
SCC’s are not the answer if, like Facebook was doing, the data cannot be assured of adequate protection in the US. The ruling means that EU regulators — such as Ireland’s DPC — have a clear obligation to suspend data transfers which are taking place via SCCs to third countries where data protections are not adequate, which now includes the US. This is what the court case, known as Schrems II had asked the Irish regulator to do in the first place.
This could be remedied if the EU gives the US an adequacy decision, meaning that it is a safe third country to transfer data to, with GDPR-like privacy regulations. However, that doesn’t seem likely to happen in the short term. The EU court said today: “In the absence of an adequacy decision, such transfers may take place only if the personal data exporter established in the EU has provided appropriate safeguards, which may arise, in particular, from standard data protection clauses adopted by the Commission, and if data subjects have enforceable rights and effective legal remedies”.
What to do now
Use standard contractual clauses or binding corporate rules to keep afloat transatlantic data transfers. SCC’s can be used in the meantime to keep current data transfers going.
Seek assurances from US counterparts about their commitment to data protection rules.
Undertake a data audit to understand what data is affected.
Update privacy notices, or consider changing the condition for processing from users to continue the flow of data to the US. Explicit consent, or necessary transfers, or transfers in the public interest or the interest of the data subject are not affected by the ruling.
Longer-term, consider whether data processing done in the US can be done closer to home.
Use our Omnitrack reporting tool to undertake a data audit and understand what data flows might be interrupted by this ruling.
VinciWorks will update you as this story develops and will provide further guidance on EU-US data transfers as soon as possible.
- Read the Press Statement from the Court of Justice of the European Union on the Schrems II case
- Read the full judgement in the case of Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems
- GDPR resources page