What is (or was) Privacy Shield?

Where a controller or processor of personal data located in the European Economic Area (EEA) transfers personal data outside the EEA, this generally puts it out of the reach of the GDPR.

To ensure individuals’ personal data continues to be protected, the GDPR restricts transfers of personal data outside the EEA (referred to as “restricted transfers”).

Where the European Commission has decided that a country or territory’s legal framework adequately protects individuals’ rights and freedoms for their personal data, this is called an “adequacy decision”. Adequacy decisions can also be made in respect of sectors and international organisations. Restricted transfers where the destination is covered by an adequacy decision must comply with the GDPR but do not require specific contracts.

The adequacy decision for the USA was only partial – it only applied to personal data transfers covered by the EU-US Privacy Shield framework. Privacy Shield required certified US companies to protect personal data, as well as providing mechanisms for redress in the event of breaches.

Privacy Shield replaced the previous “Safe Harbor” system, which was declared invalid in the first Schrems case.

What did the Court decide?

The Court decided that the EU-US Privacy Shield was invalid.

The main reason for this decision was that the Court did not see the US legal system as providing sufficient protections for data subjects whose personal data had been transferred to the US.

The Court also looked at the Standard Contractual Clauses (SCCs). The SCCs are a standard form contract provided by the European Commission, which is the main method businesses use to make restricted transfers to countries without adequacy decisions. The current SCCs were prepared pre-GDPR, and do not include some of the contractual clauses required by the GDPR, but have yet to be replaced.

The decision of the Court was that the SCCs remain a valid way to make restricted transfers.

However, the Court gave a reminder that the SCCs are only an appropriate safeguard where the parties have considered the laws where the personal data will be transferred to, and conducted a risk assessment as to whether the SCCs provide enough protection in this context, taking into account the circumstances of the transfers and any additional measures you could put in place (e.g. additional contractual provisions; technical and/or organisational security measures).

What do I need to do?

If your business was registered with Privacy Shield, you will need to put in place alternative arrangements to protect personal data being transferred to the US.

If your business is making transfers of personal data to the US, you should check the contractual arrangements you have in place, and whether the recipient is on the Privacy Shield list. If you had been relying on the Privacy Shield to make these transfers, you will need to find an alternative.

The European Data Protection Board FAQs confirm that there is no grace period. It is therefore important that businesses work quickly to put alternatives in place – either agreeing the SCCs (with or without additional safeguards) subject to a risk assessment, or ceasing transfers of personal data to the US.