If you do business with companies in the USA – and potentially even anywhere outside Europe – you might find that you have a new problem. New rules on data protection, which came into effect last week, effectively make it harder to transfer data outside of Europe.
Privacy Shield – Not Strong Enough
On 16 July 2020, the ECJ ruled in the “Schrems 2” case. This involved a complaint about Facebook’s use of data when it could ultimately be accessed by the US government. The court decided that you could no longer rely on “Privacy Shield” to allow the transfer of personal data from Europe to the USA.
Privacy Shield was a system whereby a US business could register with the US government to confirm that it would hold personal data with certain protections. It was thought, until last week, that if a US company held this registration then the prohibition on transferring data outside Europe would not apply to that company. This was because the view was that Privacy Shield gave protections to EU citizens’ data in the US similar to that offered by GDPR in Europe.
Except, that was wrong.
The ECJ decided last week that Privacy Shield is invalid because it gave US national security and law enforcement agencies priority over the rights of EU citizens. The ruling says that this is not proportionate and goes beyond what is strictly necessary, and that US laws do not give EU citizens appropriate rights of redress through the courts if their data is misused by US authorities.
Privacy Shield rules allow for an Ombudsperson to provide this redress to EU citizens. This was thought enough until this case. Now, the ECJ says that the Ombudsman doesn’t provide “guarantees substantially equivalent to those required by EU law” because it’s not independent and cannot impose its will on US intelligence services.
The Business Software Alliance, one of the parties to the case, said that the CJEU decision to invalidate Privacy Shield would create a barrier for electronic commerce between the US and the EU.
“Today’s Privacy Shield decision just removed from the table one of the few, and most trusted, ways to transfer data across the Atlantic. The impacts will be felt by large and small enterprises on both side of the Atlantic, when businesses are focused on recovering from the economic impacts of Covid-19 and are increasingly relying on data-driven tools and services to do so,” said Thomas Boué, director general of the BSA.
What should organisations do?
The short answer is that you should not rely on Privacy Shield to protect data you pass to the USA. In the short term, you should consider whether you need to pass this over at all (keep in mind we are talking about “personal data”, which is information allowing living people to be identified. Pricing, drawings, code and other information should not be affected).
This isn’t just a direct transfer of data. You should asses what data is being transferred outside the EU on your behalf. This could be anything from an intra-group transfer, to the use of marketing software hosted in, or run out of, the USA.
There is a solution… if you can get it agreed
It is not all bad news. The ECJ did leave the door open to data transfers to the USA, just not via Privacy Shield.
The alternative is the “Standard Contract Clauses”, known as SCCs. These are a fixed set of conditions that can be agreed between a European business and one in the USA (or anywhere outside Europe, for that matter).
The good news is that these are approved by the ECJ as regulating data transfer from Europe to elsewhere in the world. If the recipient of personal data has agreed to stick by them, you can move personal data to them and be Data Protection compliant.
The bad news is that they are not up for negotiation. To get the benefit of the SCCs, they need to be agreed in their entirety.
Not my problem – I don’t deal with the USA
While this case directly affects data transfer to the USA, its principles go further.
Without SCCs in place, the EU has only approved a limited list of countries where you can transfer data. Most are excluded: Australia, China, the whole of the Middle East and most of Asia and South America are not automatically approved.
If those countries have carved out a data protection niche for their national security, then this case will likely affect them too– so don’t be too comfortable.
If you have concerns about data transfers in light of the Privacy Shield decision, please contact Derek Hamill on 0141 530 2022 or firstname.lastname@example.org.
The information and opinions contained in this blog are for information only. They are not intended to constitute advice and should not be relied upon or considered as a replacement for advice. Before acting on any of the information contained in this blog, please seek specific advice from Gilson Gray.