Changes To EU-US Privacy Shield
17th August 2020
On 16th July 2020 the Court of Justice of the European Union (CJEU) ruled that the EU- Commission’s approval of the Privacy Shield was no longer a valid method of transferring EU citizens personal data from the EU Territory to the United States.
Why has this ruling been made?
The CJEU held that “the requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country.”
In laymen’s terms this meant that the Privacy Shield did not stop US intelligence from accessing the personal data of EU citizens transferred to an American company and that there was no effective way that EU citizens could register a complaint about US intelligence access to their data in the US.
Over 5,300 European and US companies including SMEs may no longer rely on the EU-US Privacy Shield as a basis for transferring personal data. There is no transition period, the ruling came into effect on 16th July 2020.
So, what must you do now if you export EU personal data to the US?
If you are a company that exports personal data, you are responsible for ensuring that your data transfers to third countries have “adequate protections” as required under GDPR.
If your data transfers relied on Privacy Shield then you will need to put in place an alternative such as a Data Processing Addendum to an existing agreement or use the Standard Contractual Clauses (SCCs) which have been approved by the European Commission which you can find here.
What if my business deals with a US-based cloud provider?
Details of how the US cloud providers have responded to the CJEU ruling can be found on their websites and you will probably have received emails from them alerting you to the alternatives that they have put in place.
For example, Amazon’s AWS has responded with the following:
“Following this ruling, we wanted to inform you that AWS customers and partners can continue to use AWS to transfer their content from Europe to the US and other countries, in compliance with EU data protection laws – including the General Data Protection Regulation (GDPR). AWS customers can rely on the SCCs included in the AWS Data Processing Addendum (DPA). As the regulatory and legislative landscape evolves, we will always work to ensure that our customers and partners can continue to enjoy the benefits of AWS everywhere they operate.”
Will there be a replacement to the Privacy Shield?
On 10th August 2020, the US Secretary of Commerce and the European Commissioner for Justice issued a press statement stating that they have “initiated discussions to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework to comply with the July 16th judgment……”
What are the consequences of not complying with the ruling?
It is your responsibility to ensure that any transfers of personal data to third countries have adequate protections in place in compliance with GDPR and the Data Protection Act 2018. Each EU state data supervisor (including the UK’s Information Commissioner) can begin an enforcement action for non-compliance. The consequences of which may result in fines of up to 4% of a company’s global revenue.
What if I need additional advice?
If you need additional assistance and advice on how to comply with this ruling and the transfer of personal data to any third countries who do not have an adequate level of protection, please contact Linda Bazant on email@example.com or via telephone on 07957422069.