On 16th July 2020 the Court of Justice of the EU delivered its judgment in the "Schrems II" case, so called as this was the second major challenge to data protection rules brought by privacy campaigner, Max Schrems.
And just like in the first Schrems case back in 2015, the Court has given a hugely significant ruling, which will see major changes in the way that personal data is shared internationally. The judgment also means that plenty of organisations may now suddenly find that they are acting illegally despite their best efforts to comply with the law.
Lots of UK and EU companies regularly share personal data (information relating to living individuals) with the USA. They might share information about their customers or employees with a parent company in the US. More commonly, many rely on service providers based in the USA- effectively transferring data to them every time they use an online platform based there or US based cloud storage.
The EU does not consider the USA to provide "adequate protection" for personal data and so a transfer of personal data can only be lawful if special measures are in place. Two of the commonly used measures are "Privacy Shield" and "Standard Contractual Clauses".
Privacy Shield is a self-certification scheme for US companies. The idea being that if a US company was Privacy Shield registered, the European exporter of personal data could rely on them providing an adequate level of protection. Over 5,000 US companies are currently registered with Privacy Shield and their many, many UK and EU based customers rely on that fact to ensure that they are complying with their obligations to ensure that data is not transferred out of Europe without adequate protection.
However, the Court of Justice has now struck down Privacy Shield, finding that it does not in fact offer adequate protection for personal data.
There's no grace period, so many companies will now be breaking the law by exporting personal data to the US solely in reliance of the Privacy Shield.
We have, to some extent, been here before. Privacy Shield was established as a replacement for the earlier "Safe Harbor" scheme, which the Court of Justice struck down in 2015 in the first Schrems case.
But this time it feels different. That's partly because of comments that the Court made about Standard Contractual Clauses. These are model clauses that can be put in place between the European exporter of data and the importer in the USA and are a key alternative to the Privacy Shield. The Standard Contractual Clauses are quite old and pre-date the General Data Protection Regulation (GDPR). There was therefore some doubt as to whether they were still fit for purpose under the GDPR. The Court has (perhaps surprisingly) upheld their general validity. However, Privacy Shield was undone principally because it offered no protection to European citizens from the access and use of their data by US law enforcement authorities. And there is nothing in the Standard Contractual Clauses that could offer that protection either.
The Court has said that it is up to the parties to Standard Contractual Clauses to verify, prior to any transfer, whether the right level of protection will be respected. Not a particularly easy thing to do.
This judgment will cause data protection headaches for companies throughout Europe, but its effects may be particularly acute in the UK because of Brexit. The UK left the EU earlier this year but right now we're in a transition period where we are considered to be part of the EU for data protection purposes. However, the end of the transition looms (it is scheduled to be the end of 2020). At that point, unless the UK is given a finding of "adequacy" by the EU (which may or may not happen) transfers of personal data from the EU to the UK may themselves become problematic.
The UK's data protection regulator, the ICO, is clearly aware of the difficulties that this judgment brings and it is currently working out its position. We can hopefully expect guidance from the ICO soon.
In the meantime, UK or EU based business should urgently audit their transfers to the US to determine which of them are made on the basis of Privacy Shield. Those will need to change as soon as possible.