Q&A: What the EU’s Privacy Shield ruling means for the UK

We spoke to Toni Vitale, partner and head of data protection at JMW Solicitors, to understand the implications of last week’s CJEU ruling

Last week, Europe’s highest court, the Court of Justice of the European Union (CJEU), invalidated the EU-US Privacy Shield, a legal framework relied upon by thousands of US and EU companies to transfer personal data from the EU to the US.

The decision is perhaps no surprise, given the CJEU’s long-standing concerns about the ease with which the US government could access the personal data of European citizens. Privacy Shield itself was an attempt to readdress the balance of privacy in favour of EU residents — but it has now been deemed inadequate.

What does this ruling mean for companies who previously relied on this lawful mechanism to legitimately transfer data to the US? And more specifically – what does the decision mean for the UK, which is bound by the CJEU’s decision until December 31, 2020 under the Brexit withdrawal agreement?

We spoke to Toni Vitale, partner and head of data protection at JMW Solicitors, to understand the implications of last week’s CJEU ruling and how UK companies can minimise disruption.

Why do EU companies transfer data to the US?

In the main there are higher IT costs in the EU than in the US, but companies also like the flexibility of storing and processing data in one place so if they already have a data centre in the USA they would keep all the data in one place.  Often back-ups and archive copies are kept in the USA and the operational version is kept in the EU

Why has the privacy shield been deemed invalid?

The CJEU considered that, when personal data is transferred to a third country, it should be “afforded a level of protection essentially equivalent to that guaranteed within the EU by the GDPR, read in the light of the [EU] Charter [of Fundamental Rights]”.

This protection encompasses appropriate safeguards, enforceable rights and effective legal remedies for individuals. Through this prism, the CJEU considered the validity of the Privacy Shield and took the view that, despite the safeguards built into this framework, the risks to individual privacy arising from US government surveillance and law enforcement activities mean that the requirements of GDPR and the EU Charter are not met.

Who does this affect more, companies transferring data to the US or US companies receiving data from the EU?

It affects exporters and importers of data equally. Put simply, the CJEU has an issue with the interference of the US national security and law enforcement agencies having priority over the fundamental right of privacy of the persons whose data is transferred to the US, and the surveillance program utilised in the USA.

The limitation this places on the protection of personal data in the USA means that the EU-US Privacy Shield is not confined in a way that satisfies the GDPR requirements, and is not limited to what is strictly necessary. As such, the EU-US Privacy Shield has been declared invalid and it can no longer be relied on as a lawful mechanism by which to legitimately transfer data to the US.

This means companies who currently rely on the EU-US Privacy Shield for transferring data to the US will no longer be able to rely on this, and will instead have to consider which alternative legal mechanism to rely on – something easier said than done given the EU’s issues with the US privacy legal system.

Could exports to the UK be impacted in a similar fashion post-Brexit?

The “Schrems II” judgment does nothing to change the legal criteria for adequacy, and the CJEU did not rule on the U.K. However, the ruling will likely shift the political dynamic of the adequacy assessments.

The European Commission will assess the U.K.’s national security and surveillance architecture.  Some commentators believe that the U.K. will fall short in the EU’s adequacy assessment because of its use of mass surveillance without judicial oversight.  However, immediately after the “Schrems II” judgment, the commission emphasized the importance of trans-Atlantic data flows and its willingness to find a solution with the U.S.

Nevertheless, the precedent set is that the CJEU is prepared to invalidate adequacy decisions if national security and surveillance legislation in the third country does not meet EU standards. As such, even if the UK were to rigorously apply and enforce the GDPR post-Brexit, attaining and retaining an adequacy decision cannot be guaranteed.)

How disruptive is this actually going to be in the short term and what can companies do avoid disruption to operations?

It is expected that the EU and US will come up with a revised scheme very quickly as movement of data is essential for international trade. In the meantime, standard contract clauses can be used.

What is the most severe intervention that the ICO could make here?

The ICO could declare all transfers of data to the USA are invalid whether using standard contract clauses or not but this is unlikely.  The onus is on the exporter and importer to carry out an assessment of the risks.

How empowered actually is the ICO to enforce compliance?

The most draconian sanction is a stop order enforceable through a court injunction which prevents data transfers to the USA.

At a time when companies are struggling and economies need to stimulate growth, is this ruling an unwelcome distraction?

Protection of personal data is a fundamental human right and we cannot trade human rights for economic growth.