On 16 July 2020 the European Court of Justice (ECJ) concluded that the EU-US Privacy Shield Framework does not provide adequate protection for EU citizens’ personal data under GDPR and is therefore invalid.
The decision was made on the basis that the Privacy Shield prioritises the needs of US security and law enforcement agencies over the rights of EU citizens.
The Privacy Shield was meant to afford a higher level of protection than its predecessor, Safe Harbor, requiring US companies to monitor and enforce data protection more robustly, cooperate more with European Data Protection Authorities and provide written commitments and assurances regarding access to data by public authorities. However, the ECJ has now ruled it is inadequate.
How does this affect UK businesses relying on the Privacy Shield?
On 16 July the Information Commissioner’s Office (ICO) stated that they will be working towards supporting global data flows whilst protecting people’s personal data.
The ICO further stated that, until new guidance is available, UK businesses can continue to use the Privacy Shield, but you should not start using it during this period.
However, since the above statement was made, the European Data Protection Board (EDPB) has issued guidance via an FAQ stating that there is no grace period during which you can continue to transfer personal data to the US without assessing your legal basis for the transfer. This does not mean that you have to change your legal basis, but you should stop relying on the Privacy Shield as an adequate measure for data protection.
On 27 July, the ICO referred to the EDPB FAQ and stated, “you should take stock of the international transfers you make and react promptly as guidance and advice becomes available.”
What you should do now if you make international personal data transfers?
If you currently rely on the Privacy Shield for personal data transferred to services such as Zoom and Gmail, then you should do a risk assessment and consider other measures. If the international transfer does not come under an adequacy decision*, then appropriate safeguards such as using Standard Contractual Clauses (SCCs) of Binding Corporate Rules (BCRs) should be considered. If an appropriate safeguard is not available, then you can only make the transfer if it is covered by one of the exceptions set out in Article 49 of the GDPR.
* An adequacy agreement means that the EU considers the country with which it has an adequacy agreement offers adequate privacy protections equivalent to those in the EU.
In our opinion, if you take the above steps towards compliance whilst further guidance and advice becomes available, then it is unlikely that the ICO will take any action if in all other respects you are compliant under UK data protection laws.
Can Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) be relied on?
The use of Standard Contractual Clauses (SCCs) was also challenged but the ECJ did not invalidate their use. If you rely on SCCs then you may need to prove that adequate protection is provided. This could be difficult (and onerous) under current US laws if you use SCCs with a US business. Therefore, if you are reviewing or restructuring your systems and data flows, it would be wise to consider keeping all personal data within the EU.
In addition, the European Data Protection Board (EDPB) has recommended that you must conduct a risk assessment as to whether SCCs provide enough protection within the local legal framework, whether the transfer is to the US or elsewhere.
The EDPB’s FAQ also refers to Binding Corporate Rules (BCRs) and states that every transfer, whether under a SCC or BCR, should be considered on a case-by-case basis. If you use one of these tools to help ensure compliance then you may need to demonstrate that it works in practice to ensure an equivalent level of protection to that guaranteed within the EU by the GDPR.
What happens after the Brexit transition period?
The ICO is working towards an adequacy decision with the EU. However, if the UK does not receive an adequacy agreement from the EU by 1 January 2021, then the UK will be considered a ‘third’ country and will be subject to restrictions on the flow of personal data from the EU.
Whilst we wait for further guidance and advice, it is worth noting that the ICO says they will “continue to apply a risk-based and proportionate approach” in accordance with their Regulatory Action Policy. In addition, whilst the ICO can fine organisations, this is reserved for the most serious breaches of the law. The ICO prefers to work with organisations to help them get it right, but that does not mean you should do nothing.
For further information about international transfers and alternative arrangements after the Brexit transition ends including templates for controller to controller and controller to processor templates, visit the ICO website.
Authors:
If you found this useful, please share:
