A recent decision to invalidate Privacy Shield means that UK businesses sending personal data to the US must now put controls in place, to ensure that data is protected and avoid breaching GDPR.
In a landmark decision in July 2020, the Court of Justice of the European Union (CJEU) invalidated Privacy Shield. The implications of this decision are significant and wide-ranging. Not only does this create uncertainty regarding data transfers to the US, but it also puts pressure on the US to reform its surveillance practices.
What is the Privacy Shield?
Personal data transfers from the EU to non-EU countries are prohibited under the General Data Protection Regulation (GDPR), unless certain safeguards are put in place to ensure adequate data protection. The Privacy Shield was the agreed framework to allow the transfer of personal data, until that is, the CJEU ruled the Privacy Shield as invalid.
Why did CJEU make the Privacy Shield invalid?
The CJEU agreed that US law does not provide a level of protection that it is substantially equivalent to that of the EU. They based their decision on US public authorities being able to review data being transferred for national security reasons via the Patriots Act. Another major factor in the ruling was that unlike the UK and Europe, where data subjects own their personal data, in the US, the state owns the individual's data, except for California which has its own Californian State Privacy Law.
What does invalidation mean?
By declaring Privacy Shield invalid, companies sending personal identifiable data to the US from the UK and Europe are now in breach of GDPR. Members of the EU (and this will remain for the UK despite Brexit) must conform to adequacy. The EU Commission tests countries to see if they meet adequacy levels when it comes to data protection.
So now the onus is on your business to put in place adequate controls, which ensure a data subject's rights to data privacy have not been breached by the US.
What are the options now?
- Standard Contractual Clauses (SCC) between your business and the US-based organisation to which you wish to transfer personal data. Although this looks to be an easy solution, should any of the clauses within the SCC be altered, this will invalidate the agreement.
- Binding Corporate Rules (BCR) can be used by a company, providing they register this rule with the ICO. BCRs can be used to bring action against another company in the event of a data breach.
- Data Protection Agreement (DPA) can be used to define the framework as to how data can be stored, transferred and secured. The benefit of a DPA is that you can make it specific to the parties you are sharing data with and agree on the method of data transfer.
So how should you proceed? ICO recommends “you should take stock of the international transfers you make and react promptly as guidance and advice becomes available.” Review suppliers and contracts where you’re relying on the Privacy Shield, and start thinking about alternative arrangements. Planning and being ready for change will make the process that bit easier.
If you have any questions on the protection and security of your business data, our expert teams are here to advise - please get in touch.