The ‘landmark update’ to GDPR – ‘Privacy Shield’ no longer valid

Since becoming enforceable on the 26th of May 2018 there have been many legal updates to GDPR but the most significant may be the latest ruling on the EU-US Privacy Shield. The Privacy Shield scheme came into effect in August 2016 to make sure that European residents have equivalent data privacy protections when their data is processed in the US. However, on the 16th July 2020 the European Union Court of Justice found that US safeguards did not meet GDPR’s standards, and ruled that the Privacy Shield longer valid. 

In less than six questions we answer what changes this landmark ruling brings and how they impact you. This information has been sourced from updates by the UK-ICO and from the EU’s court ruling documents. We advise that you consult with your legal team for what is applicable in your specific situation.

Who should read on?

This ruling has further implications but it is particularly important for marketers who have EU/UK based customers and;

  • are based in the US

or

  • are based in the EU/UK but use US-based companies to process personal data, such as Google Analytics (website tracking), G-Suite (email and productivity), web hosting like Amazon Web Services (AWS) and, or if you have a US-based CRM, like Hubspot or Salesforce (on a non-EU Server).

What are the fines for non compliance?

If you do not comply with the new ruling you risk the standard GDPR penalties of up to 10 million euros or 2% of global turnover. This rises to up to 20 million euros or 4% of global turnover in certain cases, for example, when processing special category data.

What was this decision?

The decision was made up of three parts:

  1. The High Court ruled that the EU-US Privacy Shield is no longer valid. This is considered a ‘landmark case’ for international transfers and data protection because this is the legal mechanism which thousands of companies have relied on over the last few years to transfer data between the EU and US.
  2. SCCs (Standard Contractual Clauses – contracts between the data exporter and data importer that state how data will be processed and protected) are upheld. However, companies must verify, on a case-by-case basis, whether the law in the recipient country offers a level of data protection that is equivalent to that of the EU. In many cases more measures will need to be taken beyond what is set out in the current SCCs – so these documents will need to be updated to remain valid. You should check with your non-EU service providers if new SCCs are available, and if you have no SCC in place, seek one.
  3. There is now a clear obligation to suspend data transfers which breach the rules. When the court reviewed SCCs they concluded that these can only be valid if data transfers are “suspended or prohibited” when there is failure to deliver the agreed protections or it becomes impossible to honour them

Much of these decisions were influenced by the EU Court’s opinion on the use of mass collection surveillance programmes by US National Security agencies, which it decided breach the GDPR principle of proportionality. Due to the fact that they are not strictly limited to only what is necessary. These programmes often take a collect all approach rather than a collect what we need now approach and offer limited or no legal recourse for EU Citizens who wish to challenge the use of their personal data in the programmes.

How have the major influencers reacted to this?

For major international companies like Google and Facebook many legal changes are required. Any company that previously relied on the EU-US Privacy Shield for data transfers will immediately need to put alternative measures in place, such as SCCs. Companies that relied on SCCs or other contractual agreements should now review those documents. We covered how Google responded to here but the main focus for large international organisations is to update their data practices or face heavy fines. 

What does it mean in terms of Brexit?

As the UK is exiting from the EU, the Privacy Shield may still stand for UK residents. This is plausible because of existing UK-US security ties but there are still questions whether this new ruling will put an end to current UK/US data sharing flows. At the moment we are in a limbo state. The Information Commissioner’s Office (ICO) have advised that companies read the guidance from the ECJ and “react promptly as guidance and advice becomes available”, meaning that for now, there is no definite answer.

What do you need to do next?

Here are the steps that you should take today:

  1. Review, sign and collate updated SCCs.
    Many US services have updated their SCCs to reflect the new ruling. You should now review these new SCCs, and decide if they meet your requirements for adequate protection of EU citizens’ data.
  2. Update your privacy policies 
    You must reflect how your customer data will be protected by SCCs or supplementary measures. The third parties that you use should be updating their privacy policies on their website which you will be able to use to update your own policies. If they have not, you should contact them directly.
  3. Brief your team
    Your should inform your team about updates to data policies and retrain staff where needed. 
  4. Keep updated
    We are still yet to see the full extent and how companies will add their own protections to SCCs. Some supervisory authorities, such as the Berlin Data Authority have said, that companies must immediately switch to EU data transfers or other countries with adequate protections. Signing up to receive updates with Google Alerts, following the news section of your local data protection authority or signing up to legal updates with our course can keep you up to date.

Any questions?

Let us know here and we’ll look into it for you.

Update – 1

The U.S. Department of Commerce and the European Commission have made a joint statement that they will proceed with discussions to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework that complies with the 16 July judgement of the Court of Justice of the European Union in the Schrems II case.

There is no current timeline for release and approval. For now, you are advised the follow the current ruling, and review your international data transfers.