You’re transferring personal data to the US? The Privacy Shield is no longer a legal basis for transfer

As from July 16, 2020, in accordance with the judgment of the Court of Justice of the European Union in Case C-269/01, the Court of Justice of the European Union has been ruling on the following question Data Protection Commissioner v Facebook Ireland Ltd. and Maximilian Schrems The transfer of personal data to the USA cannot be carried out on the basis of the EU-US Privacy Shield.

Entrepreneurs who have transferred their personal data to the US to the Privacy Shield Program so far face a major problem. On July 16, 2020, the Court of Justice of the EU, in its judgement in the case of the European Court of Justice in the case of the European Court of Human Rights, ruled in the case of the European Court of Human Rights. Data Protection Commissioner v Facebook Ireland Ltd. and Maximilian Schrems annulled the European Commission’s decision that the Privacy Shield provides adequate protection for personal data transferred to the US. The verdict is yet another success of Austrian activist Maximilian Schrems, whose actions led to the annulment of the program preceding the Privacy Shield – the so-called „Privacy Shield” (safe Harbour).

What is the Privacy Shield?

The Privacy Shield is a self-certification program for processors of personal data located in the USA. Those who have joined the programme have committed themselves to respect the rules on the protection of personal data in such a way that the level of protection does not deviate from this within the EU. The European Commission has recognised the Privacy Shield as providing an adequate level of protection for personal data transferred from the EU within the meaning of Article 45 GDPR. When transferring data to an entity certified by the Privacy Shield, it was not necessary to take further security measures to legalise the transfer, e. g. contain standard contractual clauses.

Why has the privacy shield been repealed?

The Court explains that the annulment of the European Commission’s decision follows from the fact that data transferred to the US may be disclosed to the US authorities for reasons of national security, and that national legislation does not grant data subjects rights to restrict or control access to the data. Consequently, the US does not provide a minimum threshold for the protection of personal data.

What has changed since 16 July 2020? How to legally transfer data to the US?

Since July 16, 2020, the fact that the entity to which we transfer personal data belongs to the Privacy Shield programme does not ensure an adequate level of data security to legalise the transfer. In order to be able to lawfully further transfer personal data to such an entity, a new basis for a lawful data transfer has to be sought.

Moreover, entities that transfer personal data to the US on the basis of tools other than the Privacy Shield, e. g. the Privacy Policy. Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) must also verify how the data is transferred and assess whether US law will not adversely affect the level of personal data protection. If, despite being in force, for example standard contractual clauses between entities, in practice their provisions will not be implemented due to US domestic law, despite additional measures, data transfers will have to be suspended.

This is because the legal transfer of personal data requires that the level of protection of personal data as in the European Economic Area is ensured by the introduction of the GDPR.

The European Data Protection Board announced that it would soon issue recommendations for the definition of additional measures (e. g. organisational, technical), which can increase data protection to an acceptable level.

Transfer of personal data on the basis of consent

Where the assessment of the level of protection of personal data shows that it is not possible to transfer data to the US in such a way as to maintain an adequate level of protection, the controller will in certain cases be able to carry out a transfer on the basis of the concessions set out in Article 49 GDPR – including the most common consent of the data subject. However, it should be borne in mind that such a transfer cannot be based on implicit consent and that the data subject should be fully informed of the risks involved in such a transfer before granting it.