21 July 2020

Transatlantic transfers of personal data: time for re-evaluation of the dataflow

Nicola Culliton
Associate | UK

On 16 July 2020, the Court of Justice of the European Union (CJEU) declared the Privacy Shield – one of the legal mechanism that allows the lawful transfer of personal data from the European Economic Area (EEA) to the United States of America (US) – invalid on the basis that it is not providing ‘essentially equivalent’ protection of personal data. In the same ruling, the CJEU upheld but qualified the use of Standard Contractual Clauses (SCCs) that are another mechanism allowing lawful transfers to the US.

Reliance on Privacy Shield

From an EEA-perspective the CJEU’s decision means that (the legal act establishing) Privacy Shield is null and void with immediate effect.

EEA business should:

  • expect some grace period before European data protection authorities start sanctioning them for Privacy Shield based transfers to the US, as was the case when its predecessor, the Safe Harbour, was invalidated;
  • not agree any new deals that envisage Privacy Shield based transfers to the US and insist on their counterparties to agree to an alternative safeguard that can legitimatise the transfer, such as the SCCs; and
  • review their of US-based suppliers list (the Art 30 GDPR records of processing activities may be a good starting point) and approach them in relation to incorporating SCCs in existing commercial agreements.

US business should:

  • to the extent they are Privacy Shield certified, continue to comply with the applicable principles as the Department of Commerce will continue to administer the program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List; and
  • pro-actively approach their EEA customers and partners in view of putting in place an alternative safeguard, such as SCCs.

Given the “$7.1 trillion transatlantic economic relationship” all sides should expect the European Commission and the U.S. Department of Commerce to come up with a new deal on international transfers in the not so distant future. Local data protection authorities and the European Data Protection Board are likely to issue detailed guidance on transatlantic transfers in the immediate future.

Reliance on SCCs

The CJEU emphasised that reliance on SCCs must be conditional on the clauses offering adequate protection in practice. This may be particularly challenging for transfers to the US, given the court’s findings in relation to the general lack of protection of personal data in the US in view of the disproportionate and unrestrained access to such data by US authorities pursuant to domestic surveillance legislation. In this context the CJEU points out the importance of two existing obligations in the (legal act establishing) SCCs:

  • the obligation on both EEA and US businesses to verify, prior to any transfer, whether the level of protection guaranteed in the SCCs is respected in the US; and
  • the obligation of the US business to inform the EEA business of any inability to comply with the SCCs, the latter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the former.

These two obligations and the first one in particular may be quite difficult to achieve in practice. However, for the time being and in the absence of a new EEA-US personal data transfer deal and a revision of the SCCs by the European Commission, businesses on both sides of the Atlantic should consider:

  • adding additional clauses to the SCCs to address US government requests for access of personal data received from the EEA. For example, EEA business may require their US counterparties to notify them about such requests in advance and to return or delete the relevant personal data where necessary;
  • Elaborating any additional guarantees for the protection of EEA personal data from indiscriminate US government access, to the extent legally permitted. For example, where a US provider is used for data hosting, it (and by extension the US government) can be precluded from actually reading the data when the data is encrypted at all times;
  • Auditing US vendors’ sub-contractors who may be processing copies of EEA personal data;
  • Engaging with regulators on both sides of the Atlantic to seek further official assurance that SCCs, as modified to address the points raised by the CJEU, are still appropriate and valid for specific transfers;
  • Segregating datacentres so that European personal data does not physically leave the boundaries of the EEA;
  • Keeping up to date with local regulatory guidance.
Nicola Culliton Associate | London

Category: Article