The European Court of Justice has accepted a legal challenge to the validity of the EU-US Privacy Shield, meaning it has been struck down and is no longer a valid mechanism for transferring personal data to the United States of America.
If you transfer personal data to US entities, including via the use of hosting/cloud services, you will not be able to rely on the Privacy Shield and should take action to use another valid mechanism for transferring personal data to a country outside of the EU.
The Privacy Shield was introduced in 2016 as a replacement for the ‘Safe Harbor’ scheme, which was itself declared invalid in 2015.
It provides a codified set of data protection principles, agreed between the EU Commission and US Government, to which US businesses and organisations voluntarily subscribe. By subscribing to the program, businesses self-certify that they comply with the principles and must re-certify themselves every year.
The General Data Protection Regulation (GDPR) only permits the transfer of personal data on specific grounds and subject to suitable safeguards. Within the EU, transfers can take place more freely because each Member State conforms to the same rules.
However, when transferring personal data outside of the EU, there are more stringent requirements to meet in order to maintain the same level of protection for that data. Some countries, such as Canada, Japan, and New Zealand, are deemed ‘adequate countries’ by the EU Commission, meaning transfers of personal data can proceed without additional safeguards.
Transfers to those countries that are not deemed ‘adequate’ must, unless a number of limited alternative mechanisms or exceptions apply, take place subject to ‘standard contractual clauses’ imposed by the EU (the standard clauses are available here).
The EU-US Privacy Shield provided an important gateway for American businesses and organisations to self-certify that they met the EU standards of adequacy and complied with the data protection principles set out in the GDPR. A member of the Privacy Shield program was therefore deemed ‘adequate’, meaning the EU standard contractual clauses and other safeguards for non-EU transfers, were not required.
Without the EU-US Privacy Shield, all of those US entities which relied on it to self-certify their data protection compliance can no longer rely on it to be deemed ‘adequate’ for personal data transfer purposes.
It remains to be seen how quickly the EU and US will agree a new program, if at all. For now, any transfers to US organisations must be made via one of the other valid mechanisms, including the ‘standard contractual clauses’.
Larger US companies may take the initiative themselves and introduce the processing clauses required by the EU into their standard agreements. However, if you use a data processor based in the US (including the likes of Amazon Web Services), it is your responsibility as a data controller to put in place another mechanism for transferring personal data. Waiting to see what your provider does isn’t good enough.
We provide a number of data protection services, including a full GDPR audit - looking into all areas of data protection compliance - and a shorter checklist service, which focuses on the key GDPR data protection principles.
Both of these include a review of your use of third-party data processors and the contract terms you have in place with those processors, which will help to identify if you are transferring data to the US, requiring further action.
If you already have details of your processors outside of the EU and need advice on ensuring your use of those processors is GDPR-compliant, we can help you consider the legal options and implement the best option for your business.
If you have any questions regarding this note, or would like further advice, please contact us.