Personal Data Transfers from the EU to the US: Privacy Shield is no longer a valid transfer mechanism

The GDPR requires that if the personal data of EU data subjects is being processed outside of the EU then it must be protected in a manner broadly equivalent to the data protection afforded under the GDPR. The European Commission has previously determined that the domestic laws of a number of countries provide such protection, but for those countries for which no such ‘adequacy decision’ has been made (such as the US) then one of a number of data transfer mechanisms must be used.

The Privacy Shield was a unique data transfer mechanism in that it applied only to data transfers from the EU to the US and only applied to those US companies certified under that programme.

Those US companies which are Privacy Shield certified and previously relied on that status as the mechanism under which personal data may be processed by them in compliance with the GDPR must now use another data transfer mechanism.

It will be recalled that the Privacy Shield itself was introduced with some haste to replace the ill-fated ‘Safe Harbor’ mechanism which was invalidated in a previous legal challenge by Max Schrems. Its successor has now met the same fate, with the key issue again being the access to and use of personal data by US intelligence agencies in a manner which is regarded as both disproportionate to what is necessary to achieve the stated purpose and leaves the data subject without effective legal redress.

The European Commission’s Standard Contractual Clauses (SCC) were also reviewed by the Court and were found to be a valid data transfer mechanism and accordingly SCC can continue to be used and are likely to prove the swiftest alternative mechanism for those companies previously using the Privacy Shield.

However, the Court also commented that whilst SCC in themselves constitute a valid date transfer mechanism, the SCC require the EU data controller and the non-EU data controller or processor to verify, prior to any transfer, whether the level of protection required by EU law is actually respected in the third country concerned. The recipient is, where appropriate, under an obligation to inform the EU data controller of any inability to comply with those clauses, and the EU data controller is then, in turn, obliged to suspend the transfer of data and/or to terminate the contract.

So the Court also issued a warning that simply signing up to the SCC cannot ‘whitewash’ a data transfer and there is an obligation to verify that the use of those clauses will actually be an ‘effective mechanism’ to ensure compliance with the GDPR before using them to transfer data outside the EU.

The key consequence of the Schrems II case is therefore that the US has lost the special status accorded to it by the EU-US Privacy Shield and is now regarded in the same way as any other third country for which no adequacy decision exists. Data transfers to any such third country may be made provided that one of the permitted data transfer mechanisms is used and that tends to be the SCC in probably the majority of cases. But all companies using the SCC to transfer personal data to any third country and not only the US, are now on clear notice that they need to verify that they can actually deliver what they are signing up to when they use the SCC.