CJEU Invalidates EU-US Privacy Shield Agreement

Privacy Shield No Longer Adequate

The Court of Justice of the European Union has invalidated the EU-U.S. Privacy Shield agreement, which allowed data to be transmitted out of the EU to the US, if the receiving company operated under the strictures of the Privacy Shield scheme.

If a country is not in the European Union (EU), and not within the European Economic Area (EEA), it is considered to be a third country. Special provisions need to be in place to transfer personal data to a third country, and those provisions must meet or exceed the requirements of the GDPR, or be otherwise sanctioned.

An adequacy decision has to be made about the data protection legislation of the third country. The list of countries that have had a favourable adequacy decision are Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.

America had a partial adequacy decision. That decision has now been reversed.

US Secretary of Commerce Wilbur Ross said the [US Department of State] was “disappointed” and that it is “studying the decision to fully understand its practical impacts. … We have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies and governments.”

So What’s Available Instead?

If the Privacy Shield scheme is not available for now—expect a revamped version to be initiated as soon as possible—what can you do legally if you need to send personal data to the US? These are the options.

1. Standard Contractual Clauses
2. Binding Corporate Rules
3. Codes of Conduct and Certification Mechanisms
4. Derogations

Derogations

Derogations are country-specific deviations from the letter of the GDPR that have been approved by the European Commission and the Supervisory Authority, or equivalent, of the country in question. They are an approved—and justified—deviation from the usual required compliance.

Derogations must be applied restrictively. They cannot become the new normal. They relate to ‘processing activities that are occasional and non-repetitive’. So, derogations cannot be used to allow regular business transfers of personal data.

Codes of Conduct and Certification Mechanisms

The European Data Protection Board (formerly the Article 29 Working Party) say that Codes of Conduct and Certification Mechanisms can offer appropriate safeguards for transfers of personal data to Third Countries if there are binding and enforceable commitments on the company in the Third Country.

In the European Data protection Board (EDPB) guidance of 12th February 2018 they say these tools are new under the GDPR and that they are “…working on guidelines in order to give more explanation on the harmonized conditions and procedures for using these tools”. But, because there is no equivalent to the GDPR in the US—although California now has the California Consumer Privacy Act (CCPA)—there is no certification that could indicate acceptable compliance.

Binding Corporate Rules

Binding Corporate Rules are internal rules which define the international policy in a multinational or international group of companies the movement and safeguarding of personal data between organizations and across borders. That is, transfer of personal data within a border-spanning organisation.

These contract-like documents are detailed, comprehensive, and must meet a set of manadatory conditions. Last but not least, they must be ratified as acceptable by your lead Supervisory Authority. That is, the equivalent of the ICO in the country where your HQ is located.

Standard Contractual Clauses

Both the data exporter (the EU company) and the data importer (the US company) must agree to use a contract of Standard Contractual Clauses (also known as Data Protection Clauses) approved by the European Commission. These contracts provide the additional data protection safeguards that are required in the case of a transfer of personal data to any Third Country.

Standard Contractual Clauses may be included in a wider contract and additional clauses might be added, so long as they do not contradict, directly or indirectly, the Standard Contractual Clauses.

All in All

None of these are quick wins or a fast answer. It might be the case that the CJEU give the US a grace period and the US takes that time to uplift the Privacy Shield scheme to meet the required standards.