The broken Privacy Shield – and what employers can do about it
On 16th July 2020 the ECJ delivered a hugely significant ruling, which will see major changes in the way that personal data is shared outside the EU. It will have a major impact on businesses which need to transfer staff data to group companies, servers or cloud storage in the US.
The GDPR prohibits data controllers and data processors transferring personal data to third countries outside the EU in most circumstances unless an exception applies. The main exceptions are where:
- the EU Commission has issued an 'adequacy decision' stating that the third country provides sufficient protection for personal data;
- the data subject has given explicit consent to the transfer;
- the transfer is an intra-group transfer governed by legally enforceable binding corporate rules (BCRs) that have been approved by the relevant regulator (in the UK, this is the Information Commissioner); and
- the exporter and recipient of the data both agree that the transfer will be governed by standard contractual clauses (SCCs) approved by the EU Commission.
Transferring personal data to the US is particularly fraught, as the EU has never issued an adequacy decision covering the US. Many EU and UK-based businesses use US-based cloud storage or servers, or have US-based group companies with which they need to exchange staff and customer data.
Until 2015, these EU-based businesses could transfer data to US companies which participated in the Safe Harbor scheme (which required those US companies to self-certify their compliance with basic data protection standards). This scheme was ruled unlawful in 2015 by the ECJ after Edward Snowden's revelations about mass surveillance by the US security agencies.
The EU Commission put in place a replacement self-certification scheme called the Privacy Shield. Now that scheme too has been ruled unlawful by the ECJ, having been challenged by the same privacy campaigner, Max Schrems, who secured the ruling on the Safe Harbor scheme.
Mr Schrems also challenged the use of SCCs. Fortunately for businesses, the ECJ upheld SCCs as valid, but with the warning that the data exporter and recipient are responsible for checking that the third country's legal regime makes it possible for SCCs to be complied with fully – not an easy task.
What now?
It seems very likely that there will be further negotiations between the US and EU to agree a replacement scheme – and equally likely that that scheme will face similar challenges from privacy campaigners.
We anticipate that the Information Commissioner will issue guidance for UK businesses soon, but in the meantime, UK or EU-based business should urgently audit their data transfers to the US to determine whether they rely on the Privacy Shield. If so, they should put in place alternative arrangements urgently. Explicit consent is unlikely to be an appropriate basis for transfers of staff data. With SCCs often seen as the simplest option, businesses will need to consider how they can establish that SCCs can be complied with in the US.
The impact of this case may be particularly acute in the UK because of Brexit. During the transition period the UK is considered to be part of the EU for data protection purposes. However, when the transition period ends (currently due for 31 December 2020), unless the UK is given a finding of "adequacy" by the EU, transfers of personal data from the EU to the UK may also become problematic. Businesses should factor this into their Brexit preparations, particularly as a no-deal Brexit remains a realistic possibility.
