The future of EU-US Privacy Shield

The GDPR requires companies to meet certain standards when transferring personal data to non-EU countries (or “third countries”).

The Privacy Shield was accepted by the EU as protecting the rights of EU citizens when their data was transferred to the US. But now, with challenges over its adequacy, the future of the EU-US Privacy Data Shield is not so certain.

Transmitting personal data to the US

The rules on transmitting data to third countries have strict requirements. You can the transfer if the EU has already decided the country you are transferring to has an adequate level of protection, if you can show that the country you are transferring to has the appropriate legal safeguards, or if you have the consent of the person whose data you wish to transfer. 

Any time personal data is entered into a network which could be accessible in the US, data has been transmitted. This could be obvious, like during administration from an EU subsidiary to an American parent company, or it could be behind the scenes, if your company is sharing a cloud for customer data and the servers are located in the US. 

What is a Privacy Shield?

A Privacy Shield protects the rights of EU citizens and comply with the GDPR by introducing additional protections when data is transmitted to the US for commercial purposes.  

The EU declared that the transfer of data to the US is permissible to certain companies if they self-certify under the Privacy Shield Scheme and renew this certification every year. The US Department of Commerce reviews whether these companies are complying with the regulations, and publishes a list of all the self-certifying companies it has reviewed. 

Along with this supervision, the EU will make sure that the level of protection the US is offering is adequate, and it will publish an annual summary of these reviews. The EU checks that the US companies are offering independent ombudsmen free of charge, in case there are any concerns over the level of protection afforded to them, and also that the US companies are willing to cooperate with any investigations or advice given. 

There have been doubts over the adequacy of the Privacy Shield since its creation in 2016. The US can access personal data if it can justify it on the basis of security, and the EU Data Protection Working Party has suggested that it’s safeguards to restrict arbitrary access are vague.

Pressure from the European Parliament

In 2017, after its first annual review, the EU determined that the EU-US Privacy Shield was adequate, but made recommendations for the US to pro-actively monitor compliance and make sure an ombudsman is always appointed for any complaints from EU citizens. The US hasn’t done this - in fact, it has extended the enabling provision for foreign intelligence, and it has failed to grant EU citizens rights against surveillance by US security agencies. 

In July 2018, the European Parliament passed Resolution 2018/2855(RSP) stating that there had been no moves by the US to show better compliance. The European Parliament therefore pledged to ask the EU to withdraw from its adequacy decision of 2017 in respect of the EU-US Privacy Shield. 

In October 2018, the EU issued a request to the US Secretary of Commerce to make the requested changes, and it is due to publish the results of its yearly review at the end of this year. Since there is no sign of the changes requested from the US being made, it is possible that the report could conclude that personal data protection under the EU-US Privacy Shield is inadequate.   

Pressure from the Courts

While all of this has been going on, the Irish High Court has issued 11 questions to the Court of Justice of the European Union (“CJEU”) about the adequacy of the Privacy Shield scheme, after an EU citizen complained to the Irish Data Protection Commissioner about the transfer of personal data by Facebook Ireland Ltd to its US parent company. 

To complicate matters further, Facebook plans to appeal for the Irish Court’s referral to be set aside and is expected to argue that there is no requirement to seek clarification from the CJEU on EU-US data transfers. The hearing is set for January 2019. However, the CJEU has made its position clear that adequate data protection includes effective legal protection.

What for the Future of Privacy Data Shields?

It is possible that the EU could abrogate or suspend the Privacy Shield, or that the CJEU could rule it ineffective, meaning that transfers of personal data to the US from the EU under the Privacy Shield scheme would not be compliant with GDPR requirements.

That being said, the review in 2017 - while critical - didn’t set out any hard deadlines for the US or make any specific threats to end the deal, so it is unlikely that this year’s review would do that. Hopefully, both parties would want to work towards a more acceptable agreement, rather than scrap it and start all over again. 

Nothing definite yet, but watch this space!

If the Privacy Shield is invalidated, what can companies do to lawfully transfer personal data to the US?

There are some alternative options, meaning that even in the event of a negative decision at the end of 2018, EU based companies can still lawfully transfer personal data to the US using alternative options.

  1. EU Standard Data Protection Clauses (Commission Contractual Clauses)

  2. Binding Corporate Rules

  3. Individual Clauses

Given the uncertainty around the future of the EU-US Privacy Shield Scheme, the best plan of action is to keep continually reviewing the procedures you have in place for your own data transfers to third countries, making sure you are compliant for the time being until any big changes are made clear. For now, we wait for the EU’s published review.

As always, if you are uncertain on the agreements you have in place or would like to consider alternative protection mechanisms, please get in touch.

Authors: Lily Morrison, Legal Consultant at Gerrish Legal / Charlotte Gerrish, Founding Lawyer at Gerrish Legal

November 2018