Data protection update: privacy shield (EU-US) framework invalidated by CJEU

In a landmark ruling from the Court of Justice of the European Union (CJEU) on 16 July 2020, the Privacy Shield Framework which formerly legitimised transfers of personal data from the EU to the US organisations which were certified under the scheme, has been invalidated. As such those businesses relying on this framework will need to seek alternative mechanisms moving forwards in order to carry out data transfers to the US in a compliant way.

Background – Schrems I

The ruling made on 16 July 2020 is the latest outcome from the famous Schrems case (Schrems I) in which an individual Max Schrems made a complaint to the then Irish Data Protection Commissioner regarding the transfer of his personal data (from his Facebook account) by Facebook Ireland to servers of Facebook Inc., located in the US. The crux of his complaint centered on the legality of the transfer and adequacy of protection in relation to this personal data. The result of the proceedings was that the Safe Harbour framework, which permitted EU-US transfer of personal data, was found to be inadequate and the framework was replaced by Privacy Shield.

CJEU ruling - Schrems II

In the latest iteration of the Schrems proceedings (Schrems II), the validity of the Standard Contractual Clauses (SCCs), another mechanism for transfers of personal data from the EU to third countries (including but not limited to the US), was a focal point. However in confirming the validity of the SCCs, the CJEU also went on to declare the Privacy Shield framework as invalid for EU-US transfers of personal data on the basis that US laws did not provide adequate safeguards for the protection of personal data in line with the standard offered by the General Data Protection Regulation (GDPR) - such inadequacy essentially resulting from US surveillance laws.

Practical implications for businesses

The effect of the ruling on 16 July 2020 by the CJEU will be felt immediately by the many businesses still relying on the Privacy Shield for EU-US personal data transfers, specifically as there is no specific grace period or other transition period for businesses to adopt an alternative lawful mechanism.

That said, the issues raised around the validity of the Privacy Shield are not by any means new and have been around for some time, resulting in many larger businesses already having made that switch to an alternative transfer mechanism - this being the SCCs in most cases.

For those businesses still relying on the Privacy Shield however and in the absence of an adequacy decision (that the relevant third country provides adequate safeguard for the protection of personal data), an alternative lawful transfer mechanism will need to be sought.

The SCCs are arguably the most flexible option for most businesses for transfers of personal data to third countries (though not the only option), however this should not simply be regarded as a "tick-box" exercise and some form of transfer assessment may be required in order for data exporters to verify the level of protection in the third country (in line with the GDPR) and to make that assessment as to whether additional measures or safeguards are required to be put in place prior to making any transfers to such third country. Inability to comply with the SCCs would enable the data exporter to suspend the transfer in question or terminate the SCCs entirely.

UK's position post-Brexit

Upon completion of the Brexit transition period on 31 December 2020, the UK will become a third country for the purposes of international data transfers and in the absence of an adequacy decision by the European Commission, those EU businesses seeking to transfer personal data to the UK will be faced with the same issues and considerations as those highlighted in this briefing note.

Although the UK is still on track for implementing the GDPR into UK law (UK GDPR), there will nonetheless be emphasis on the standards in place in the UK for the protection of personal data (taking into account UK surveillance laws which may pose certain GDPR compliance issues) and on this basis, international transfers of personal data is certainly an area of law which will need to monitored on an ongoing basis.