Back arrowButton/calendaricon/lockicon/sponsor
Open search
Close search
Login
Call us on0808 168 5874

17.07.2020

The Court of Justice of the European Union (CJEU) has given judgment in the Schrems II case, holding that the EU-US Privacy Shield scheme that permitted transfers of personal data from the EU to third parties in the US that had signed up to the Privacy Shield does not provide sufficient protection and is therefore invalid. Below, we consider the implications of this decision for UK employers.

Legal background

Although the UK has technically left the EU, the EU General Data Protection Regulation (GDPR) has been incorporated by the UK into its domestic law and therefore continues to apply, even after Brexit. In addition, the UK remains bound by decisions of the CJEU that are issued during the post-Brexit transition period. 

Safeguards for transferring personal data outside the EEA Shcrems II

 The GDPR prohibits transfers of personal data to countries outside the EEA unless “appropriate safeguards” are in place or an exception applies, on the basis that those countries may not otherwise offer sufficient protections for personal data.

Accordingly, a UK company cannot transfer its employees’ or customers’ personal data to a third party outside the EEA, including another group company, except in certain tightly defined situations. This restriction may be relevant to UK employers in various scenarios, the most common being if they have an overseas parent company with which they are expected to share certain employee personal data, e.g. for the purposes of centralised HR management.

The “appropriate safeguards” that employers may rely on include:

  • an “adequacy decision” issued by the European Commission confirming that the country in question provides an adequate level of protection for personal data. (The countries currently covered by adequacy decisions are Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland and Uruguay); or
  • standard contractual clauses (SCCs) adopted by the European Commission for transfers outside the EEA, which can be entered into between the UK based employer and the third party outside the EEA; or
  • binding corporate rules (a set of written rules and procedures governing the transfer of personal data between the entities in a corporate group, that has been approved by the national data protection authority in the EU country where the group is considered to be established).

EU-US Privacy Shield Scheme

For transfers of personal data to the USA, employers may also have sought to rely on the EU-US Privacy Shield, a scheme agreed between the European Commission and the US Department of Commerce which permitted transfers from a UK employer to a US based third party that had self-certified its commitment to the Privacy Shield. However, that mechanism has now been invalidated by the decision of the CJEU. 

Case history

The case stems from a long-running complaint brought to the Irish data protection authority by Max Schrems, an Austrian privacy campaigner and Facebook user, seeking to prevent Facebook Ireland from transferring his personal data to servers located in the US which belong to its parent company, Facebook Inc. Mr Schrems argued that US law did not sufficiently protect his personal data against access by the US public authorities.  In 2015 the CJEU ruled that the predecessor to the Privacy Shield scheme (known as the EU-US Safe Harbor arrangement) was invalid (the Schrems I case). 

In the aftermath of the Schrems I case, Facebook Ireland informed the Irish data protection authority that it had SCCs in place with Facebook Inc. to legitimise its personal data transfers to the US. The European Commission and the US Department of Commerce also devised the Privacy Shield scheme to give greater protections to personal data than the Safe Harbor arrangement had done.

Mr Schrems, however, was not content with either of these safeguard mechanisms and submitted a revised complaint to the Irish data protection authority, which referred questions to the CJEU, asking it to rule on the validity of SCCs and Privacy Shield.

CJEU judgment

Privacy Shield is invalid

The CJEU ruled that the Privacy Shield is invalid. It considered that the Privacy Shield did not sufficiently limit the rights of US public authorities to access and use EU personal data. In addition, the CJEU took the view that the right of an EU data subject whose data has been transferred under the Privacy Shield to make a complaint to a Privacy Shield Ombudsperson did not provide data subjects with equivalent protections to the GDPR.

 
SCCs are valid but subject to limitations

The SCCs were found to be valid as a means of legitimising transfers of personal data to countries outside the EEA. However, the CJEU introduced some significant limitations to their use. An organisation seeking to rely on SCCs (a ‘data exporter’) must, according to the CJEU, satisfy itself that the laws of the country to which it is transferring personal data offer an appropriate level of protection of that data. 

In addition, the CJEU pointed out that the SCCs themselves require the third party recipient of personal data (the ‘data importer’) to inform the data exporter if it becomes aware of circumstances that mean it can no longer comply with the SCCs. If a data exporter becomes aware of any such circumstances (whether via notification by the data importer or otherwise), it must cease transferring personal data to that country.
 
Responsibilities of EU data protection authorities 

The CJEU also emphasised the responsibility of the data protection authorities in the EU to suspend or prohibit transfers of personal data to third countries under SCCs if they consider that deficiencies in the third country’s laws mean that it is no longer possible for data importers in that country to comply with the SCCs.
 

Implications for UK organisations that transfer personal data outside the EEA

The CJEU’s decision will have a significant impact on UK organisations that transfer personal data to third countries, and on the third country recipients of such data. 
 
Organisations that have been relying on the Privacy Shield to transfer personal data to recipients in the US will need to put in place alternative safeguards if they wish to continue such data transfers, and update their privacy notices accordingly. We anticipate that the Information Commissioner’s Office (ICO) will allow them some time to do so, and will not seek to take immediate enforcement action to prevent such transfers.

It is not just transfers to the US that may require review. SCCs remain valid in principle. However, in order to achieve proper data protection compliance in practice, organisations must consider carefully whether the data protection regime that applies in each third country to which they transfer personal data in reliance on SCCs can offer an appropriate level of protection for that data. 

In addition, the CJEU’s criticism of the US data protection regime in this case may even call into question whether organisations can safely rely upon SCCs as an alternative to the Privacy Shield to transfer personal data to the US. 

Organisations will no doubt be hoping for constructive and practical guidance from the ICO to help them manage the impact of this decision on their international personal data transfers going forwards. For the moment, we suggest auditing what personal data you transfer outside the EEA, the purpose of the transfer and the nature of the safeguards relied on and waiting to see what further guidance is provided by the ICO.  

Broader implications for the UK post-Brexit

Once the transition period comes to an end, the UK will be a third country for the purposes of EU data protection law. The UK Government is seeking an adequacy decision from the European Commission, which would permit the free flow of personal data from the EEA to the UK but this will take some time. Interestingly, how the UK Government approaches personal data transfers to the US going forwards might actually influence the European Commission’s view of the adequacy of the UK’s data protection regime. For example, the Commission might not look on the UK favourably if it decides not to adopt the Commission’s stance on US data protection or enters into a new agreement with the US that is akin to the Privacy Shield. 

Until the European Commission grants an adequacy decision, organisations in the EEA wishing to transfer personal data to recipients in the UK after the end of the transition period will likely need to rely on SCCs to do so.

How we can help

Make UK member companies can access detailed guidance on the GDPR and data protection compliance requirements in the HR & Legal Resources section of our website. (We are currently updating these to take account of the decision in the Schrems II case).

If you are not a Make UK member company, but are interested in accessing these resources, as well as our expert HR and employment law advice, please call us on 0808 168 5874, or email [email protected]

 

 

 

 

 
News / HR & Legal / Make UK / Data protection