On 16 July, the EU Court of Justice handed down its much anticipated ruling in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/1) – otherwise known as “Schrems II”.
The ruling represents a significant milestone for EU and US data transfers. Under the GDPR, the transfer of personal data to a country outside of the EEA, a “third country”, may only take place if there is an appropriate safeguard in place.
One such appropriate safeguard is where the EU Commission has issued an ‘adequacy decision’ for a third country. These are in place for a number of countries. The Commission has also made partial findings of adequacy, including about the USA. The adequacy finding for the USA is restricted to personal data transfers covered by the EU-US Privacy Shield framework. The EU-US Privacy Shield places requirements on USA companies certified by the scheme to protect personal data and provides redress mechanisms for individuals.
However, that landscape has now significantly changed as a result of the CJEU ruling. The key two highlights from the ruling are:
- The EU-US Privacy Shield is invalid. This is used extensively across businesses to permit the processing (transfer) of data between the EU and the USA.
- The ruling upholds that the Standard Contractual Clauses (SCCs), another form of appropriate safeguard, remain a valid way of providing adequate protection when transferring personal data to a third country. However, controllers must carry out an assessment of the data protection afforded by the country where the data is to be taken. If the level is not equivalent to that offered by EU law, then the controller has a legal obligation to suspend the data transfers. This means that EU regulators, like the ICO, have a clear obligation to suspend data transfers which are taking place via SCCs to third countries where data protection is not adequate.
What should you be doing now?
At this stage, you will need to identify the contracts that you hold with organisations that process your personal data in the USA and check whether that transfer is permitted on the basis of the organisation being signed up to the EU-US Privacy Shield.
Also, identify agreements you have in place that have used standard contractual clauses. It will now need to be considered whether the countries that data is being transferred to offer an adequate level of protection to individuals.
Those countries with surveillance laws similar to the USA (e.g. China, India), may not be able to offer an adequate level of protection to individuals, but the key is that this will need to be determined on a case-by case basis. It presents a particular problem for countries who have (informally or formally) been denied an adequacy decision by the EU Commission.
Organisations will be looking to the ICO to provide guidance as we navigate ways to allow international data transfers compliantly without the threat of sanctions and civil compensation claims. The ICO has confirmed that it is ready to support UK organisations and will be working with the UK Government to ensure that global data flows may continue, and that people’s personal data is properly protected.
This article is for general awareness only and does not constitute legal or professional advice. The law may have changed since this page was first published. If you would like further advice and assistance in relation to any of the issues raised in this article, please contact us today by telephone or email firstname.lastname@example.org.