EU Court of Justice declares Privacy Shield invalid for transfers of personal data between EU and US

17.07.2020

The Court of Justice of the European Union (CJEU) has given judgment in the Schrems II case, holding that the EU-US Privacy Shield scheme that permitted transfers of personal data from the EU to third parties in the US that had signed up to the Privacy Shield does not provide sufficient protection and is therefore invalid. Below, we consider the implications of this decision for UK employers.

Legal background

Safeguards for transferring personal data outside the EEA Shcrems II

The GDPR prohibits transfers of personal data to countries outside the EEA unless “appropriate safeguards” are in place or an exception applies, on the basis that those countries may not otherwise offer sufficient protections for personal data.

Accordingly, a UK company cannot transfer its employees’ or customers’ personal data to a third party outside the EEA, including another group company, except in certain tightly defined situations. This restriction may be relevant to UK employers in various scenarios, the most common being if they have an overseas parent company with which they are expected to share certain employee personal data, e.g. for the purposes of centralised HR management.

The “appropriate safeguards” that employers may rely on include:

• an “adequacy decision” issued by the European Commission confirming that the country in question provides an adequate level of protection for personal data. (The countries currently covered by adequacy decisions are Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland and Uruguay); or
• standard contractual clauses (SCCs) adopted by the European Commission for transfers outside the EEA, which can be entered into between the UK based employer and the third party outside the EEA; or
• binding corporate rules (a set of written rules and procedures governing the transfer of personal data between the entities in a corporate group, that has been approved by the national data protection authority in the EU country where the group is considered to be established).

EU-US Privacy Shield Scheme

Case history

The case stems from a long-running complaint brought to the Irish data protection authority by Max Schrems, an Austrian privacy campaigner and Facebook user, seeking to prevent Facebook Ireland from transferring his personal data to servers located in the US which belong to its parent company, Facebook Inc. Mr Schrems argued that US law did not sufficiently protect his personal data against access by the US public authorities.  In 2015 the CJEU ruled that the predecessor to the Privacy Shield scheme (known as the EU-US Safe Harbor arrangement) was invalid (the Schrems I case). 

In the aftermath of the Schrems I case, Facebook Ireland informed the Irish data protection authority that it had SCCs in place with Facebook Inc. to legitimise its personal data transfers to the US. The European Commission and the US Department of Commerce also devised the Privacy Shield scheme to give greater protections to personal data than the Safe Harbor arrangement had done.

Mr Schrems, however, was not content with either of these safeguard mechanisms and submitted a revised complaint to the Irish data protection authority, which referred questions to the CJEU, asking it to rule on the validity of SCCs and Privacy Shield.

CJEU judgment

The CJEU ruled that the Privacy Shield is invalid. It considered that the Privacy Shield did not sufficiently limit the rights of US public authorities to access and use EU personal data. In addition, the CJEU took the view that the right of an EU data subject whose data has been transferred under the Privacy Shield to make a complaint to a Privacy Shield Ombudsperson did not provide data subjects with equivalent protections to the GDPR.

The SCCs were found to be valid as a means of legitimising transfers of personal data to countries outside the EEA. However, the CJEU introduced some significant limitations to their use. An organisation seeking to rely on SCCs (a ‘data exporter’) must, according to the CJEU, satisfy itself that the laws of the country to which it is transferring personal data offer an appropriate level of protection of that data. 

Implications for UK organisations that transfer personal data outside the EEA

It is not just transfers to the US that may require review. SCCs remain valid in principle. However, in order to achieve proper data protection compliance in practice, organisations must consider carefully whether the data protection regime that applies in each third country to which they transfer personal data in reliance on SCCs can offer an appropriate level of protection for that data. 

Organisations will no doubt be hoping for constructive and practical guidance from the ICO to help them manage the impact of this decision on their international personal data transfers going forwards. For the moment, we suggest auditing what personal data you transfer outside the EEA, the purpose of the transfer and the nature of the safeguards relied on and waiting to see what further guidance is provided by the ICO.