It is well established in data protection law that regular transfers of personal data to outside of the European Economic Area (EEA) are generally prohibited unless the recipient is either: situated in a jurisdiction which the European Commission considers provides adequate privacy protection; or is subject to additional obligations and protections above and beyond what its host country requires.
Usually, those additional obligations and protections mean agreeing contractual provisions prepared by the European Commission (what are called Standard Contractual Clauses) between the data provider and its recipient. Additionally, if the recipient is in the USA, EEA businesses have historically been able to instead rely on the EU-US Privacy Shield (a voluntary regime under which US businesses could self-certify their compliance with the requirements of the Privacy Shield framework).
If either of the Standard Contractual Clauses or Privacy Shield registrations were in place, personal data could flow over borders.
However, the Court of Justice of the European Union ruled on 16 July 2020 that the Privacy Shield is not valid and therefore cannot be relied upon to allow EEA businesses to send personal data across the Atlantic.
Further, although it held that the Standard Contractual Clauses are theoretically still valid (which is welcome news, as there has been some doubt about this recently), they are not a panacea. It appears that the Clauses may also be inappropriate when dealing with recipients in the US and, even for other jurisdictions, data senders will have to carry out additional due diligence on their data recipients’ local privacy laws to consider fully whether the Clauses can be appropriate. We are awaiting additional guidance on this as it is not known what level of detail or expenditure data senders will be required to incur before they are permitted to use those Clauses.
In other words, there is significant doubt at the moment how personal data can be lawfully sent from the EEA to the US.
This clearly has the potential to be very disruptive to how many businesses here operate and is likely to require some, possibly substantial, work to be done to adapt to the new landscape.
As at publication of this article, the UK’s Information Commissioner’s Office has noted that it is considering the full implications of the case, but it has not yet given any further guidance. It is worth remembering that this problem has been encountered before, with the same privacy advocate (Max Schrems) bringing a similar case against the same defendant (Facebook), which resulted in the Privacy Shield’s predecessor being found by the Court to be invalid.
In the meantime, businesses should take stock of how this case could impact them, including by reviewing what personal data they regularly send to the USA (and other non-EEA jurisdictions) and taking advice on how this court case can influence their operations.
It should already be the case that transfers only take place where absolutely necessary, but businesses want to take the opportunity now to double-check this is actually the case. It will also be a good time to talk to the intended data recipients in the US, to see how they are approaching this issue to ensure that business can continue.
If you would like to discuss the implications of this case on your business, or any other data protection matters , please feel free to contact Paul Eastwood firstname.lastname@example.org
While great care has been taken in the preparation of the content of this article, it does not purport to be a comprehensive statement of the relevant law and full professional advice should be taken before any action is taken in reliance on any item covered.