Schrems II: Privacy Shield invalidated - time to look at Data Export Mechanisms again

Last Thursday, the EU’s Court of Justice, declared that one of the main methods for compliantly transferring personal data outside of the EEA to the US, commonly known as the “Privacy Shield” was no longer valid (due to the lack of oversight of US security and law enforcement agencies when they access non-US citizens’ personal data).

At the same time, one of the other main methods, known as the Standard Contractual Clauses (“SCCs”), were given a stay of execution, but with strings attached (more on this below). These model clauses, which when entered into, legitimise transfers of personal data outside of the EEA (not just to the US but anywhere), had potentially been up for being declared invalid as well.

What should you do?

  1. There is no need to panic. You are not about to get hit by regulatory enforcement action or fines – the ICO (holding statement here) will allow a period of grace for organisations to get their house in order. They’ve done it before and what with everything else going on, they are even more likely to be sympathetic. But you should also bear in mind that individuals or groups might look to bring claims much sooner than any regulator. So it needs will need sorting and should go on your risk register until it is.
  2. Look at your international data-flows – do you or your sub-processors export personal data to the US? If so, what mechanism is used?
  3. If Privacy Shield was the main or only one, then you need to put in place a re-papering exercise to get SCC’s put into place (unless you feel other options are available – see below). You can expect the major vendors to be getting in touch with you to offer some kind of self-serve method to do this. Many of them most likely had more than one export mechanism – certainly this is the case with Microsoft (statement here) and Salesforce (FAQ’s here) so you shouldn’t need to do any more re-papering there.
  4. As mentioned above, the SCC’s are sadly not a magic wand (and were due to be updated to bring them into line for GDPR anyway). The judgement made it clear that exporting organisations (ie the controller) will be expected to assess the level of appropriate safeguards in the country to which the personal data is going – will the rights and freedoms of data subjects be protected in that country or are “supplementary measures” required to bolster the SCCs? Given what the court had to say about law enforcement agency ability to access personal data in the US it seems that SCC’s to US organisations are not without risk. That said, they remain the most realistic option.
  5. Consider if any of the other mechanisms to transfer personal data to the US might apply – for example, the explicit consent of the individual (but remember how high the hurdle is for consent to be valid and this is unlikely to be possible in an employment context). Also, if you are only sending personal data every now and then or it is in the context of a contract with the individual, then you may not need to worry too much.
  6. Consider any alternatives to export – can you require a move of personal data from US data centres to one within the EEA?
  7. Keep a close eye on what the ICO (and other EU regulators) have to say about (a) the supplementary measures that might have to overlay the SCC’s) and (b) any replacement for Privacy Shield. We’ve had “Safe Harbour”, then “Privacy Shield” and now we bring you “Information Defender III – this time its personal” (you hear it here first…).  

Please don’t hesitate to contact ClaydenLaw if you have any questions relating to any of the above issues.