October 2020 Update: Transferring personal data to the US – implications of the European Court of Justice’s (CJEU) Schrems II judgement
A guide to the current position on transferring personal data to the US following the Schrems II judgement.
Under the GDPR if an organisation wishes to transfer the personal data of an EU data subject to an organisation based outside of the EEA ( a third country) then safeguarding (alternative) mechanisms have to be put in place. This is to ensure that the rights of EU data subjects are given the same level of protection in the third country as in the EU. There are a number of such mechanisms; for a full list see Appendix 1 and the ICO website.
For most personal data transfers to the US organisations were able to take advantage of the EU-US Privacy Shield. On July 16th 2020, however, the CJEU ruled that the EU-US Privacy Shield was invalid and therefore organisations based in the EEA could no longer rely on it as a safeguarding mechanism when transferring the personal data of EU data subjects to the US.
In practical terms this means that other safeguarding mechanisms need to be put in place. The most obvious of these are Standard Contractual Clauses (SCCs) but the CJEU’s ruling has cast doubt on whether in the case of US organisations SCCs provide enough protection. This is because US surveillance laws may make it impossible for the SCC terms alone to protect data transfers.
The following is a guide to the current position as we understand it. It is not intended to constitute legal advice. If in doubt members are advised to seek their own independent legal advice.
The ICO’s view
The ICO has confirmed that guidance will be made available following the Schrems II judgment but has not indicated when this will be. The ICO's interim guidance (dated July 27, 2020) is unclear for those who have relied on the Privacy Shield to date, but it would seem prudent for organisations to make plans for alternatives to be put in place.
What is clear is that if an organisation has not used the Privacy Shield prior to the CJEU’s judgement of July 16, 2020 then they cannot use it post July 16, 2020.
We will continue to monitor the ICO's advice.
The European Data Protection Board(EDPB)
The EDPB has produced a series of FAQs that may prove helpful.
What should members do?
a. In the first instance members should ensure that they have a correct understanding of their data flows. Remember the CJEU’s ruling only applies to the personal data of EU data subjects being transferred out of the EU to the US.
b. Having done this you will be able to judge what to do next as this will vary as follows:
1. If you are already transferring personal data to the US
- if you have signed up to the EU-US Privacy Shield - as it is now technically invalid you must consider using other safeguarding mechanisms as soon as possible. The ICO has said it will take a pragmatic approach, but the implication is that if you do not make any attempt to set up an alternative then the ICO will act. This means fines and /or sanctions could be imposed as for any other breach of the GDPR.
- If you are using SCCs – The CJEU judgement casts doubt on whether SCCs used for transferring data to the US can offer adequate protection but there may be situations when this is not the case. SCCs must be considered on a case by case basis and so you will need to consider whether the organisation the data is being transferred to can provide the protection demanded by the GDPR, particularly with regard to passing on information to surveillance agencies (this applies to any country not just the US).
The EDPB recommends performing a risk assessment as to whether SCCs provide enough protection within the local legal framework, whether the transfer is to the US or elsewhere. The receiver of the data may be able to assist in this.
For more details on how SCCs can be used and the form they should take see the ICO’s guide to International Transfers. The ICO has also produced an Interactive Tool which although designed to help organisations decide when SCCs are appropriate after Brexit can be used by organisations now.
2. For any new post July 16th, 2020 transfers to the US –you must use alternative mechanisms instead. Generally SCCs are the most suitable alternative when transferring data out of the EU but post the CJEU judgment this is not so clear cut for transfers to the US. See Appendix 1 for examples of permitted alternatives.
3. If you are unsure if personal data is being transferred - ask your provider to confirm.
4. If in doubt – seek legal advice.
c. In all cases
1. Check the ICO website for their latest advice
2. Check the EDPB news page for the latest updates and advice.
3. Check ICAEW’s Data Protection and Privacy webpage regularly as we are monitoring the situation closely and will update members as soon as we can
a. ICO : If you have any specific questions please call the ICO helpline on 0303 123 1113.
b. ICAEW: help available from TAS
Adequacy Decisions and Alternative Mechanisms permitted by the GDPR
Countries outside the European Economic Area (EEA) are deemed ‘third countries’ and organisations or individuals within a third country cannot assume that they can automatically transfer or process the personal data of EU data subjects. If they wish to do this there must either be an ‘adequacy’ decision between the EU and the third country or an organisation must use an alternative mechanism that can offer sufficient safeguards. The latter must be used on a case by case basis.
In simple terms an adequacy decision is an acknowledgement by the EU (or proof) that the data protection regime in a third country offers the same level of protection to EU data subjects as EU legislation. That being so the transfer of personal data of EU data subjects to that third country is permitted, although it still must be GDPR-compliant.
There are two types – full and partial:
A full adequacy decision means that there are no restrictions on the transfer of personal data to these countries. In this case all an EU organisation needs to do is check that the country to which it wishes to transfer personal data has a full adequacy decision.
So far 11 countries including Japan, Switzerland, Argentina and New Zealand have successfully negotiated a full adequacy decision. Negotiations are ongoing with several other countries but it can be a very lengthy process (years rather than days).
Adequacy decisions are subject to review by the EU Commission and so can be amended or revoked at any time.
1. Canada has been granted a ‘partial’ adequacy decisions. This means not all organisations and not all types of personal data are covered by the decision. The Canadian adequacy decision only covers data that is subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). Not all data is subject to PIPEDA.
2. The EU–US Privacy Shield framework was the only other partial adequacy decision but it has now been ruled as invalid.
There are a number of alternative mechanisms that offer ‘appropriate safeguards’ over the personal data of EU data subjects. These only apply in specific situations and are subject to very strict rules.
a. Binding corporate rules (BCRs) - can be used by multinational organisations when transferring personal information outside the EEA but within their group of entities and subsidiaries. Organisations must get approval for their BCRs from an EU data protection authority, with one authority acting as the lead.
b. Standard Contractual Clauses (SCCs) - EU Commission-approved ‘standard contractual clauses’ (also known as model clauses as set out in the annex to EU decision 2010/87/EU) within a contract. The clauses contain contractual obligations on the data exporter (i.e. an organisation based outside the EEA) and the data importer (based inside the EEA), and rights for the individuals whose personal data is transferred. Individuals can directly enforce those rights against the data importer and the data exporter. However, the model clauses run to nine pages and businesses may wish to obtain their own legal advice before seeking to rely on them.
c. Permitted Exceptions - The GDPR has eight permitted exceptions but these should only be used as true ‘exceptions’ from the general rule that you should not make a transfer unless it is covered by an adequacy decision or there are appropriate safeguards in place. In most cases they can only apply to ‘occasional’ and ‘necessary’ transfers or in very specific one-off instances (such as to protect the vital interests of a data subject in a medical emergency). Some permitted exceptions require you to inform and justify your actions to the ICO before you make the transfer. As the permitted exceptions are so narrow in scope they are unlikely to be of use in the majority of cases. For more details and examples of when such exceptions may be permitted see the ICO guide.
d. Codes of conduct – The code of conduct must be approved by a supervisory authority (such as the ICO) and include appropriate safeguards to protect the rights of individuals whose personal data is transferred, and which can be directly enforced and monitored.
e. Certification schemes – These must be approved by a supervisory authority (such as the ICO) and include appropriate safeguards to protect the rights of individuals whose personal data is being transferred, and which can be directly enforced.