The EU-US Privacy Shield, one of the few mechanisms which provided for the legal transfer and storage of personal data from EU member states to the United States, has been declared invalid by the European Court of Justice (CJEU).

What happened to Privacy Shield?

In a recent case, known as Schrems II (C-3111/18), the CJEU agreed with the complainant, Mr Schrems, that the Privacy Shield was inadequate and therefore not sufficient for the purposes for which it was originally intended. This was on the basis that US laws, particularly those relating to mass surveillance, are contrary to the provisions of the General Data Protection Regulations (GDPR) and the Privacy Shield did not offer enough protection to European citizens whose data was transferred to the US and subsequently became subject to those US laws.

The consequences of the judgement

GDPR restricts the transfer of personal data to countries outside of the EEA unless the rights of the individuals are protected or one of a limited number of exceptions applies. The restrictions apply to all transfers, no matter the size of the transfer or how often you carry them out. Not many people realise but a “transfer” can happen when data can be accessed by a third party even if you have not intentionally transferred it in the traditional sense.

This means if your website or email provider is hosted in the US (including services hosted in the “cloud”) you will be making a transfer of personal data outside the EEA. Other examples of international transfers are where IT support services are provided outside the EEA or where you use a third party marketing service hosted overseas to send marketing emails.

What was the Privacy Shield scheme?

The EU-US Privacy Shield scheme allowed companies to transfer personal data to the US in compliance with GDPR. Those US companies who had joined the scheme were considered to have adequate protections in place for personal data to be transferred to them without the need for further measures to be taken.

The Privacy Shield replaced the previous “Safe Harbor” scheme which was declared as invalid by the same court in 2015 as not offering adequate protection for data subjects.

The decision invalidating Safe Harbor in 2015 sent ripples through the software industry and the new and improved EU-US Privacy Shield was hastily agreed between the US Department of Commerce and the European Commission to enable trans-Atlantic data transfers to continue. At the time it was agreed in 2016 many critics maintained the Privacy Shield still didn’t go far enough to protect personal data of EU citizens despite the extra protections it put in place. The decision is therefore not a complete surprise but it will be interesting to see if a Privacy Shield 2 emerges in the months that follow.

What does its invalidation mean for businesses?

The EU-US Privacy Shield was relied upon by some 5,300 companies in order to safeguard the transfer of personal data across the Atlantic. With the Privacy Shield shot down and the US not on the list of countries the EU considers to have adequate data protection provisions in place, many transfers of data to the US will now breach GDPR. This means that companies in the UK and the EU must rely on one of the very few other available options in order to legally transfer data to the United States.

What are the other options available for data transfer to the US?

Other options for transferring personal data outside the EEA are Binding Corporate Rules also known as BCRs (only on option for transfers between group companies) and Standard Contractual Clauses (SCCs) – the latter being the easiest to implement and available for transfers to third party suppliers.

SCCs are legal contracts developed by the European Commission which create obligations on any company outside the European Economic Area who will be in receipt of personal data to effectively comply with the obligations under the GDPR. These have been commonplace in contracts with companies in countries outside the EAA which are not the subject of an adequacy decision for sometime now; now they must be used for transfers to the US as well.

Many multinational companies, such as Microsoft, have already made statements proclaiming their adherence to international data transfer requirements under the GDPR, regardless of the CJEU ruling by claiming to have appropriate SCCs in place already, whereas other companies will still need to make changes to their processes to comply.

The SCCs can be implemented retroactively; therefore they can easily be implemented in order to accommodate for this decision by the CJEU and to allow the continuation of data transfers to the US.

Action that must now be taken by businesses

Given that the EU-US Privacy Shield can no longer be relied upon, and that the US is no longer the subject of an adequacy decision, businesses need to look very carefully at where their data is stored and make enquiries with any third party suppliers they use (including software and email providers who may host data for you) to ensure those third parties have implemented adequate protections for the transfer of personal data to the US in light of the decision.

You will find many of your suppliers will have been relying on the Privacy Shield for their international data transfers, so you need to ensure they have implemented an alternative solution to enable the lawful transfer of personal data to continue.

You should also review your privacy policy in light of the decision as it may refer to the Privacy Shield as the mechanism you are relying on for any international data transfers so this will need to be updated.

This article was co-written by Kathryn Heath and Joe Bryon-Edmond from our Intellectual Property and Data Protection team.