Privacy Shield has gone the way of its predecessor, Safe Harbor: the Court of Justice of the EU (CJEU) and has invalidated it. Privacy Shield had enabled transfers of personal data from the EEA to the USA by ensuring adequate protection. In reality, it did not provide actionable rights for data subjects against the US authorities before the courts. So, the CJEU has ruled that the protection afforded was not adequate and has invalidated Privacy Shield.
Just use model clauses
That’s ok, though, you can still transfer data by adopting the standard contractual clauses (aka model clauses), right? Well, the ECJ had something to say about that too. The clauses create a private contract between the EU party exporting the data and the party outside the EU receiving the data – here, the USA. Those clauses are not binding outside the parties, such as on public authorities. Thus, the data controller may need to adopt “supplementary measures” to maintain protection. It’s not clear what these measures would be but, without them, the controller should suspend data transfers.
Why does this matter?
Two reasons. First, data transfers from the UK + EU27 to USA are now potentially in breach of GDPR. Again. Even using the standard contractual clauses.
Second, the UK government has indicated it is not concerned about a no-deal Brexit. If this happens, it would put the UK outside the GDPR safe zone, thus becoming a third country like the USA. The UK would then need a decision from the EU Commission that UK laws are still aligned with GDPR for data flows from EU27 to UK. The UK government has indicated it intends to continue complying with GDPR so that should be a simple decision? Well, the UK government’s approach to Brexit negotiations has not always been constructive or amicable. Even if the EU Commission rises above that, it was not that long ago that the CJEU ruled the UK’s “general and indiscriminate retention” of emails and electronic communications was unlawful. You can expect greater scrutiny this time round. So, an adequacy decision might not be quick.
What to do?
Keep calm and carry on. UK to EU / EU to UK transfers are fine, for now. UK to USA transfers should be on the basis of standard contractual clauses. And, from 1 January 2021, so should EU27 to UK / UK to EU27. That’s as much as the average business can do. Then you just have to see what happens next.
If you need advice, contact me email@example.com or +44 (0) 20 7611 2338.
[…] extensive snooping laws. Similar laws in the USA scuppered the Safe Harbour and its successor, Privacy Shield. We might see a couple of years of activity where an adequacy decision is issued by one EU […]
[…] free to reach a different decision on the same law to the European Court of Justice. Remember the ECJ invalidated the US Privacy Shield due to the lack of underlying protections of data. In that case data transfers should be on the […]
[…] Court of Justice of the EU annulled the EU-US Privacy Shield in the Schrems II case in July 2020. This was because the US did not provide an “essentially equivalent” level of data protection […]