CJEU RULES THAT THE MECHANISM FOR TRANSFERRING DATA TO THE US IS INVALID

Yesterday’s decision by the Court of Justice of the European Union (CJEU) will affect many UK businesses and other organisations that send personal data to the US. 

Businesses now need to check whether they currently rely on the Privacy Shield mechanism to share such data and act swiftly to put an alternative mechanism in place if required, after the court ruled that the Privacy Shield does not provide adequate protection to personal data transferred from the EU to the US. 

The CJEU has held the Privacy Shield to be invalid, largely because of the security regime operating in the US and the resulting access to personal data. This means it is now unlawful for parties to transfer personal data to the US using this regime. As personal data will not simply stop flowing to and from the US, businesses and other organisations will need to act quickly to implement an alternative safeguard for the transfer of personal data to the US which complies with European data protection laws.

Joseph Fitzgibbon, Solicitor in Shepherd and Wedderburn’s media and technology team said:

“We advise organisations transferring personal data to the US to check whether the Privacy Shield is the mechanism being used and take steps to put an alternative mechanism in place.

“This decision will hopefully prompt the European Commission to produce a more robust solution for data transfers. This will likely take the form of a long-awaited update to SCCs, which have not been updated in line with the General Data Protection Regulation and still do not permit processor-to-processor data transfers. 

The decision will serve as a warning to jurisdictions whose governing authorities process data for the purpose of public security and defence, as such processing may preclude these countries from being able to demonstrate adequate safeguards for the protection of personal data.

“This case is also interesting from a UK perspective as, following the end of the transition period at the end of 2020, the UK will also need to put in place a regime to allow transfers to continue to be made from the EEA to the UK. Although the UK is aiming to achieve an adequacy decision which would mean the need for any contractual formalities would be avoided, given the time pressures to agree a deal by the end of the year there is a possibility this will not be achieved. Many UK businesses would need to be looking at SCCs as a short-term alternative to ensure the free flow of data can continue.”