Max Schrems has spoiled US plans for dealing with data from European countries for a second time. On 15th July, the CJEU issued a judgment which invalidated the U.S. Privacy Shield. This had previously enabled data transfers between the U.S. and the EU without the need for any alternative transfer mechanisms.
Privacy Shield was developed following a successful challenge to its predecessor, Safe Harbor. That challenge was also raised by Mr Schrems and once again his victory will have significant ramifications for UK and EU business which do business in the US.
Currently, companies in the UK require one of the following conditions to apply in order to transfer personal data to non-EU countries:
The idea behind Privacy Shield (and previously Safe Harbor) was to provide an alternative option to EU companies wishing to send personal data to the US. Even though the US had no adequacy notice, if you sent personal data to a company which had signed up to Privacy Shield, the adequacy notice was effectively deemed to apply. You therefore didn’t need to meet any of the other conditions listed above.
However, thanks to Mr Schrem’s latest victory, this option is no longer on the table. This means you need to look at options 2-4 above if you are sending personal data to the US. However, as option 4 is not readily available just now, option 3 is unlikely to apply in most cases and option 5 hugely impractical, then in practice, the choice in many cases will be limited to one: using the SSC.
Although the CJEU explicitly upheld the validity of the SCC, there is one complicating factor. The CJEU specifically reviewed section 702 of the US Foreign Intelligence Surveillance Act (FISA), which allows the National Security Agency to obtain foreign intelligence of non-Americans outside the US through data stored with electronic communications services providers (e.g. Facebook or other cloud networks). Most electronic data is sent to the US with underwater cables, which the NSA is able to farm for its own purposes.
The CJEU held that this particular U.S. law is per se incompatible with European law because the US laws are not limited to what is strictly necessary and proportional as required by EU law. Therefore, there is no equivalent protection to European data subjects guaranteed by the EU charter, and so the EU-US Privacy Shield was held to be immediately invalid.
Furthermore, if the importer is subject to legal obligations within its own country (in this case, the US) which does not meet the same level of protection for data subjects as in the EU, then they would not be able to fulfil their obligations under the SCCs.
The offshoot is that some have interpreted this to mean that if companies are transferring data to the US, and they are using cloud storage providers who do not use binding corporate rules (such as Amazon Web Services), the data might be subject to collection by the NSA and therefore, the transfer of data would not be legal, even under the SCCs.
But don’t panic. There are steps companies can take even under the most conservative of approaches to the new ruling.
As to what happens at the end of this year, when the post-Brexit transition period ends, things are still uncertain. If the UK is granted an adequacy notice, transfers from European countries can continue unfettered. Otherwise, if EU countries wish to send data back to the UK, there will need to be SCCs between each party as well. The message to UK companies who engage in data processing is to start reviewing your data flows and contracts now.
If you have questions about data protection and third country data transfers, contact the data protection team.