On 16 July, a judgement was handed down by the Court of Justice of the European Union (CJEU) regarding the EU-US Data Protection Shield and Standard Contractual Clauses (SCCs). in the case of Data Protection Commissioner v Facebook Ireland and Maximillian Schrems. In essence, this judgement invalidated the EU-US Data Privacy Shield. The invalidation means that any company registered under the EU-US Privacy Shield has to rapidly incorporate SCCs as the default mechanism for data transfers between the EU and the US.
Whilst the UK is in the Brexit transition period, there is still the unresolved issue of a future adequacy decision by the EU Commission on the UK’s capability to provide adequate protection. When the transition period ends, the UK, as a third country, will need to have a series of legal mechanisms in place to preserve data flows between the EU and the UK, if no adequacy decision is present. These mechanisms include SCCs or Binding Corporate Rules (BCRs) which cover intra-group transfers. In the event that an adequacy decision is not provided before 1st January 2021, these legal mechanisms will need to be incorporated into contracts that UK firms have with EU-based companies. Regarding large multinational companies set up in the UK and in the EU, intra-group agreements will need to be approved so that BCRs are incorporated and complied with.
Recently, from the EU’s perspective, there have been some interesting developments on data transfers to the United States. On 15th June, the chair of the European Data Protection Board’s (EDPB) wrote a letter to the EU Parliament outlining the EDPB’s concerns with the 2019 US-UK Electronic Data for the Purpose of Countering Serious Crime Agreement. The EDPB was particularly concerned with the U.S measures contained in Section 3 of the U.S. CLOUD (Clarifying Lawful Overseas Use of Data) Act which provides that “any U.S. court shall take into account the interests of the United States, including the investigative interests of the government entity seeking to require the disclosure”. The U.S. government entities, referred to in the statute, that are of particular concern to the EDPB, are U.S. National Security Agencies (i.e. CIA, NSA, FBI) who are often cited as being responsible for the mass processing of personal data within the U.S. The CJEU regards the U.S. approach as contravening the GDPR principle of processing data in a manner that is necessary and right for the respect of privacy as set out in the European Charter of Fundamental Rights.
As the CJEU has now invalidated the EU-U.S. Data Privacy Shield, there is now a legal lacuna that is currently filled by using SCCs and BCRs. However, it may well be that the EU Commission and the U.S. Government will agree a new data transfer agreement in the future. From the EU’s perspective, any new agreement will need to supersede U.S. domestic law or guarantee that U.S. Privacy legislation is extended to EU data subjects because the EU will need to be confident that U.S. Courts do not legally provide U.S. National Security Agencies with unfettered access to all EU data subjects’ personal data when it is transferred from the EU to the U.S. Otherwise, there is going to be a persistent risk that any new agreement would contravene the GDPR and the European Charter of Fundamental Rights.
In light of the UK’s agreement with the U.S. last year, the EDPB has recommended to the EU Commission, when reaching an adequacy decision about the UK, that it should take into consideration the agreement between the UK and U.S. when assessing the overall level of protection of data in the UK. This reflects the EU Commission’s caution that any data that is transferred from the EU to the UK could, in due course, be transferred to the U.S. without the EU data subject’s knowledge and without GDPR protection.