The EU-U.S. Privacy Shield is no longer lawful

17 July 2020
From 16 July 2020, transfers of personal data from the EU to the U.S. using the EU-U.S. Privacy Shield mechanism are no longer compliant with the GDPR.

Companies that transfer personal data from the EU to the U.S. must now put in place an alternative compliance mechanism as soon as possible to comply with the GDPR.

What is EU-US Privacy Shield?

Article 44 of the GDPR requires certain protection mechanisms to be put in place when transferring personal data from the EU to a third country. The EU-U.S. Privacy Shield is a compliance mechanism intended to allow U.S. entities to receive personal data from EU entities in a GDPR-compliant manner if the U.S. entity has signed up to comply with the requirements of the Privacy Shield.

What happened and what has changed?

On 16 July 2020, the European Court of Justice (ECJ) made a final judgement and struck down the EU-U.S. Privacy Shield. The ECJ found that it fails to protect individuals’ rights to privacy, data protection and access to remedy following a ruling in the “Schrems II” case.

The Schrems II case originated from a complaint made by Mr Max Schrems to the Irish Data Protection Commission (DPC) questioning the validity of the transfer and processing of data from Facebook Ireland to the Facebook USA based on use of the standard contractual clauses (SCC). The DPC brought an action against Facebook before the High Court in Ireland. In May 2018, the Court referred various questions on the validity of the standard contractual clauses and the EU-U.S. Privacy Shield to the ECJ for a decision.

The ECJ’s decision in this case confirms the validity of the standard contractual clauses but invalidates the EU-U.S. Privacy Shield. It means moving forward, it is no longer possible to rely on the Privacy Shield scheme as automatically meeting the “adequacy” of protection for data as required by the EU when exporting personal data from the EU to the U.S.

Despite confirming the validity of the standard contractual clauses, the ECJ has raised a few concerns regarding their use. These include the capability to implement the safeguards contained in the standard contractual clauses where national laws (including national security and/or law enforcement requirements) applicable to the data importer (i.e. the U.S. recipient of personal data) prevent the safeguards from being effective.

What actions you need to take

1. Identify affected personal data

If you are a company that transfers data from the EU to the U.S. you must first determine whether your transfers are affected by the Schrems II decision. You’re likely to be affected, and could be in violation of the GDPR, if you are:

  • a U.S. company that receives data from the EU (such as a U.S. parent with a European subsidiary or European-based customers or suppliers); or
  • a European company that:
    • sends personal data to the U.S. (whether to a group company, customer or supplier); or
    • uses cloud software with servers in the U.S. and are relying on the Privacy Shield.

2. Implement GDPR-compliant data processing and transfer agreements

If you determine you are affected by the ruling, you should as soon as possible implement International Personal Data Processing and Transfer Agreements which incorporate the standard contractual clauses or another appropriate compliance mechanism.

3. Review other relevant policies and take other actions as needed

You may also need to:

  • review and update your external and internal privacy policies where they refer to transfers of personal data from the EU;
  • provide updated data protection training to your employees; and
  • take other steps as you are advised.