This will have far-reaching impacts on companies on both sides of the pond. Those that relied on the Privacy Shield to transfer personal data will have to find an alternative method or stop. This will be extremely problematic for companies that work across both jurisdictions, who must transfer personal data for their company to function.
What was the Privacy Shield?
Companies can transfer personal data to other countries where there is at least an equal measure of data protection as that directed by EU law. Companies can legally transfer data where the EU has determined a third country has adequate measures in place. The US have not passed this test owing to substandard data protection and privacy laws. So, the EU and US produced the Privacy Shield Framework. This framework carved out a legal path by which the personal data of EU citizens could be transferred between the EU and US, so long as those US companies enrolled to the Privacy Shield Framework, complied with the data protection obligations imposed upon them.
Why did the CJEU invalidate the Privacy Shield?
The CJEU determined that US National Security law does not sufficiently protect EU citizens’ personal data. US surveillance laws allow the government to access more personal data than is strictly necessary. In short, the US government can snoop to a degree which does not sit well with EU law. Hence, the Privacy Shield Framework does not sufficiently protect personal data transferred under it.
Standard Contractual Clauses – what are they?
SCCs are standard clauses which are published by the European Commission or by a member state Supervisory Authority. They offer sufficient safeguards on data protection to allow personal data to be transferred outside of the EU. Although the CJEU endorsed the use of SCCs, moving forward it made clear that parties have an obligation to ensure that the laws in the recipient country are sufficient to protect EU personal data. If the guarantees of the SCCs are not upheld, then personal data transfers with that company must be suspended.
What should companies do now?
Companies that transfer personal data to the US must ensure they continue to do so lawfully. Where a company has previously relied on Privacy Shield certification they must put in place a new transfer mechanism in the form of an SCC, but where required, consider additional, supplemental contractual safeguards which go above the standard SCCs.
To avoid falling foul of the Information Commissioners Office (ICO) companies must assess whether their data privacy safeguards are sufficient and ensure those of any company outside of the EU with whom they have or intend to continue sharing EU citizens’ personal data affords an equivalent protection guaranteed within the EU under GDPR legislation.
This is a complicated area of cross border data protection law. Companies are best erring on the side of caution and seeking advice from a lawyer to ensure compliance with EU law.
Speak to Karen Cole today who can review your existing contracts and practices to ensure your company is compliant.
Note: This is not legal advice; it provides information of general interest on a current legal issue.