The demise of Privacy Shield [Update] – What it means and practical steps you need to take.21st August 2020
We reported in our blog last month that the European Court ruled on 16th July 2020 that Privacy Shield was no longer a valid means of transferring personal data to the US.
Now the dust has settled on what is a very significant ruling, what do you, as an organisation, need to do, in order to ensure that you remain compliant with UK data protection laws?
What was Privacy Shield?
Briefly, it was a framework that organisations could sign up to, that meant they could transfer personal data between Europe and the US. It is required because the data protection laws in Europe are different to that in the US. The Privacy Shield framework was introduced to afford data subjects the same protections as in the GDPR; this then made the international transfer lawful.
However, the July ruling said ‘no’, Privacy Shield was not good enough – primarily due to issues surrounding US surveillance legislation.
So, what next?
The biggest issue is for the 3,500 or so European businesses who have been relying on Privacy Shield. They now need to find an urgent new solution if they are to continue transferring data to the US.
Currently, the standard alternative to Privacy Shield is to use a document known as a Standard Contractual Clause (SCC). These are more cumbersome than Privacy Shield but do a similar job. It is likely that this is the route most of the 3,500 companies will have to go down initially. However there needs to be some caution as it is suggested that the European Court are also going to make some changes to how SCCs works – so it will be essential to monitor the situation.
Additionally, SCCs didn’t get away ‘Scot-free’ in the latest court case either. It was made clear that the onus was on the Controller to do their due diligence on both the company and the country receiving the personal data.
I don’t rely on Privacy Shield – do I?
There are many organisations who do not realise that their suppliers are relying on Privacy Shield, which in effect means they are. It is important to check, for example whether your IT, HR or CRM systems are relying on Privacy Shield. If they are, we suggest you find out what they are going to do about it, as a matter of urgency, or seek an alternative supplier within the UK or EU.
You can check if your supplier is one of those relying on Privacy Shield here:
What do your customers and staff need to know?
If you are responsible for data protection / data governance in your organisation, make sure you clearly communicate the new legislation and educate your team on what it means to them regarding how they handle customers’ personal data.
Perhaps create an FAQ document that answers both staff and customer questions. Be prepared.
What about Brexit?
Just to make things even more complicated, the UK is no longer part of the European Union and the end of the transition phase of our exit from Europe is on the horizon. The UK is hoping for an ‘adequacy decision’ from the EU so that data can be transferred between Europe and the UK freely. Once we are fully out of Europe, new UK data protection legislation will be put in place, although it will broadly be in line with the GDPR in order to gain the ‘adequacy decision’ we seek.
That said there are many commentators who feel that the UK may be viewed in a similar vein to the US and because of our surveillance culture we may not get an adequacy decision, meaning we will also have to have in place separate SCC’s with EU Controllers wishing to transfer data to the UK.
Once we are fully out of Europe, we will be able to make our own legislation regarding data transfers to the US but if this involves EU citizens data, then the UK / US / Europe triangle conundrum will continue. Then we have Brexit and Presidential Elections in the US thrown into the mix . . . we watch with interest and will keep you informed of developments.
Who thought data protection could have us on the edge of our seats?!
If you need any help or advice about transferring personal data out of the UK or in relation to any of the points mentioned above – book a half hour complimentary consultation via Zoom.
We are here for you.