Schrems II: privacy without a shield

With the recent ruling in Commissioner v Facebook Ireland Ltd and another (‘Schrems II’), organisations will have to reconsider how they handle data transfers from the UK to the USA.

The USA is not currently recognised as having an adequate level of protection according to the General Data Protection Regulations (‘GDPR’); in essence, this means any personal data transfers to the USA would need to be ‘restricted’. In short, the transferring party will require specific safeguards or derogations to ensure they avoid the risk of heavy fines and penalties.

In response, the Privacy Shield was introduced in 2016 and approved by the European Commission; the scheme allowed US organisations to register as providing adequate personal data protection, thus freeing up personal data transfers to registered organisations.

However, as of 16^th July 2020, the Court of Justice of the European Union has declared the scheme invalid. As a result the Privacy Shield is no longer a valid option to comply with obligations under the GDPR. The scheme itself will continue to run, and participants are still bound by the obligations in the Privacy Shield itself, but those who use it will need to reassure themselves that they have an alternative safe route to legal compliance. As a reminder, breaching the GDPR carries a maximum fine of the larger of €20 million, or 4% of an organisation’s annual global turnover.

Other options to comply with the GDPR include:

1. Binding corporate rules – an internal code of conduct within a multinational group, which needs to be submitted to a supervisory authority for approval (the Information Commissioner’s Office in the UK).
2. Standard data protection clauses adopted by the Commission – a series of clauses adopted by the European Commission which would need to be incorporated into the contract between the data exporter and data importer; these impose contractual obligations on the parties, and grant contractual rights for those whose personal data is transferred.

Further exceptions exist, but by and large these only cover occasional or exceptional transfers. The key point for organisations to bear in mind is that, in the event of a data breach event or investigation it will be too late to put in place a risk management system, and any investigation will turn on the evidence already available.

All organisations should therefore carefully re-examine how and to whom they transfer personal data in the USA and ensure they have an audit trail demonstrating the safety precautions they have in place. Careful audits and risk assessments will be needed to maintain compliance, monitor whether breaches have been committed, and make the necessary changes to ensure legal data transfers.

For more information on the article above please contact Ashfords' Risk & Regulation team.