What the End of the Privacy Shield Framework Means for EU Businesses

Alexander Edwards, partner at Rosling King LLP, offers Lawyer Monthly his advice for EU businesses on coping with changing data regulations.

The 21^st century is set to be defined by data. As power shifts from Wall Street to Silicon Valley, the cataclysmic growth of both information and communications technology has created a world in which data exists as the most valuable commodity. This necessitates myriad legal, economic and political frameworks that safeguards how it is used.

In the EU, General Data Protection Regulation (GDPR) was implemented in 2018 to protect and regulate the transfer of personal data throughout the European Economic Area (EEA). It also governs the transfer of data outside the EEA and can grant a decision of adequacy in relation to a third country.

With regards to the transfer of personal data to the US, an adequacy arrangement was in place that recognised the US’ Privacy Shield framework. A recent judgement by the European Court of Justice (ECJ) however has effectively removed adequacy status for the Privacy Shield and has brought considerable uncertainty to data transfer between the US and EU. It is vital, therefore, that EU and British companies stay alert when it comes to transatlantic data transfers.

The Privacy Shield Framework

The Privacy Shield Framework, approved and adopted in July 2016, placed requirements on US companies to protect personal data and provide redress mechanisms for data subjects.

That was 2016. Fast-forward to 2020 and the ECJ judgement handed down in July, known as the Schrems II case, the Privacy Shield Framework is no longer a valid mechanism by which to transfer personal data out of the EEA and into the US.

Behind the decision lay the central concern that, under US domestic law, US public authorities are able to access personal data transferred from the EU to the US for national security purposes. This, according to the ECJ, is a limitation on the protection of personal data and fails to meet the standards and protections afforded by EU law. Furthermore, US legislation fails to grant data subjects actionable rights against US authorities before the courts.

The Privacy Shield Framework placed requirements on US companies to protect personal data and provide redress mechanisms for data subjects.

In addition, the ECJ held that while the standard contractual clauses mechanism was valid to allow transfers of personal data out of the EU, in practice, they may still not constitute a lawful basis to transfer personal data to the US. This is because data exporters will need to demonstrate that data transferred to the US under the Standard Contractual Clauses (SCC) mechanism would still be afforded equivalent levels of protection. Guidance as to how companies can do this is yet to be released but companies are advised by the ICO to conduct a risk assessment as to whether SCCs provide enough protection.

Implications for EU – US companies

Given its far-reaching implications, the impact of this judgment is potentially a huge issue for both US and EU companies and could hamper EU – US data flows. As outlined by the Information Commissioner’s Office (ICO), “international data transfers that are so vital for the global economy [may] suddenly become open to question”. The European Commission and European Data Protection Board (EDPB) are now working to formulate more comprehensive guidance on extra measures which may need to be taken when transferring data to the US.

What should these companies do now?

The decision does not have a grace period, meaning that the Privacy Shield was invalidated from the date of the judgement, which was 16 July 2020. Any transfers subsequent to this date which rely on the Privacy Shield framework are, thus, illegal.

The decision made is likely to result in many companies facing a large amount of administration and legal costs in reviewing existing contracts, drawing up new contracts with suppliers or amending existing contracts to ensure that appropriate safeguards are in place.

Given its far-reaching implications, the impact of this judgment is potentially a huge issue for both US and EU companies and could hamper EU – US data flows.

If you are concerned that the invalidation of the Privacy Shield Framework may affect your business, you should take the following steps:

• Take stock of what transfers are made, how regularly they are made and what safeguards are in place in respect of those transfers. Companies should identify whether they make any international transfers, whether such transfers are intra-group transfers or to third parties and whether its contracts with third parties allow transfers to be made to third countries. Companies should prioritise those transfers which are business-critical, those which involve large amounts of personal data and those which are made on a regular basis.
• Once you have a clearer picture of your data flow, you should look to identify your existing transfer mechanisms and whether you currently rely on the Privacy Shield framework or standard contractual clauses to make transfers to third countries, in particular the US. You should identify whether there are any alternative means to allow you to continue to transfer data to the US and promptly take steps to mitigate your position and put appropriate safeguards in place if required and if possible.
• Where you do not rely on the Privacy Shield and instead have standard contractual clauses in place, as the ECJ found that US law does not ensure an equivalent level of protection, you should review the transfers which are made on a case by case basis, whether the SCCs in place are adequate or whether supplementary measures should be put in place. The EDPB is looking into what these supplementary measures could be and more guidance should be issued in due course. In the event that SCCs and/or any other supplementary measures would not ensure that appropriate safeguards are put in place, you may need to suspend or end the transfer of personal data.
• Going forward, you should continue to monitor your data flows and guidance issued by the EDPB and the ICO in connection with international transfers of personal data.

Where does Brexit fit into all of this?

With Brexit on the horizon, the UK will become a third country on 1 January 2021 in the eyes of GDPR. As such, the UK will be looking for an adequacy decision from the European Commission to enable the continued smooth transfer of personal data to and from the EU. However, the Schrems II decision highlights that any such decision could be challenged in the future, which will doubtless cause further headaches for companies and serve only to hinder EU-UK data flows going forward.

Understandably, this would be a huge blow to economic activity at a time when countries are trying to overcome the effects of COVID-19. While the ICO has pledged to “continue to provide practical and pragmatic advice and support” as well as apply “a risk-based and proportionate approach”, companies should remain alive to the risks and their obligations under GDPR should they transfer personal data to the US.

It is vital that companies continue to review and consider guidance and advice as it becomes available and look to react promptly to any recommendations or requirements in such guidance. With Brexit also looking to impact data flows between the EU and the UK from 1 January, companies should start to take a proactive approach to evaluate how the Schrems II decision could impact them and ensure that they have a clear picture of what data flows they have.

Whether or not an agreement will be reached to replace Privacy Shield with another form of third country data transfer mechanism remains to be seen. However, given the central concerns of the ECJ with US domestic law and its protection of personal data, it seems unlikely that a replacement will be achieved any time soon.