The Court of Justice of the European Union (CJEU) has declared invalid one of the key tools to facilitate the smooth flow of data between Europe and America.
The court’s decision in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems has caught many legal observers by surprise. Indeed, its impact will be felt immediately by businesses that transfer data between the EU and the US. The ruling also raises a question over data flow between the UK and the EU, and the UK and the US post-Brexit. We examine the issues below.
Why was a privacy shield agreement between the EU and the US needed?
GDPR provides consumers across the EU with a high level of protection when it comes to how their personal data is used –within Europe and internationally. The personal data of European citizens can only be transferred abroad if the transfer is in accordance with GDPR.
While US domestic data security law does not meet EU standards, the Privacy Shield Agreement enabled organisations that signed up to it and met its compliance standards to import data from the EU. Essentially the Privacy Shield was a straightforward mechanism used by businesses of all sizes that promoted EU/US trade by making the transfer of data easier.
What were the objections to the Privacy Shield Agreement?
Personal information of Facebook users across Europe is processed by Facebook Ireland. An Austrian, Max Schrems challenged the transfer of his data by Facebook Ireland to its parent company in the US, Facebook Inc. He argued that security agencies and other state bodies in the US had oversight of his data in a way similar agencies in Europe—subject to GDPR – would not.
What did the CJEU find wrong with the Privacy Shield?
In his case against Facebook, Mr Schrems argued that the EU/US Privacy Shield did not adequately protect his information. Following an examination of certain legal requirements of US domestic law, the court agreed.
In particular, the CJEU highlighted certain schemes that enabled US public authorities to have access – on national security grounds – to personal data originating from the EU. The fact that individuals whose data was being scrutinised had no recourse to legal action in the US represented an unacceptable interference with their fundamental rights.
Following the Privacy Shield decision can I still transfer data to the US?
The effects of the decision have been immediate. This means you can no longer rely on a US data importer’s compliance with the Privacy Shield Agreement as a lawful basis for transferring data from the EU to the US. Our data protection solicitors are reminding clients of the increased chance of breaching GDPR when transferring personal data to America.
Reassuringly in the Schrems case the CJEU did confirm that EU standard contractual clauses (SCCs) – drafted correctly – remain a valid mechanism with which to export data internationally, including to the US.
Bear in mind however that an SCC will only be valid if it is capable of being complied with in the relevant jurisdiction. You should be aware that the ICO has issued guidance to the effect that companies transferring data to the US should now carry out a detailed risk assessment to ascertain whether or not the SCC provides adequate data protection.
In short, in every case you need to ask: will the level of protection for the exported data be equivalent to that guaranteed to individuals under GDPR?
If such a level of protection can’t be guaranteed another ground for transfer must be cited. For example, you could ask the individual to consent to the transfer of the data.
What about international data transfer after Brexit?
It had been anticipated that the Privacy Shield Agreement would be replicated for UK/US data transfer after Brexit. Now that the Privacy Shield Agreement has been struck down, such a step is unlikely. What new provision the two countries come up with remains to be seen. As for data transfers by EU companies to the UK after Brexit, the EU will want to ensure the UK has adequate measures in place to ensure GDPR levels of protection are maintained.