EU/US Privacy Shield data transfers invalid

The Office of the Data Protection Authority (ODPA) is alerting local organisations to take note of a recent judgement from the Court of Justice of the European Union (CJEU) which affects all businesses who transfer personal data outside of the Bailiwick and the EU.

On 16 July 2020 the CJEU ruled that the EU-US legal framework for data transfers known as ‘Privacy Shield’ is invalid. This means that local organisations need to take steps outlined below to ensure they have proper safeguards around any data transfers that rely on either ‘Privacy Shield’ or EU ‘Standard Contractual Clauses’.

The now invalid Privacy Shield was a legal framework between the EU and the United States of America (US) that allowed personal data from the EU to be transferred to the US. ‘Standard Contractual Clauses’ (SCCs) are a set of terms and conditions organisations use to protect personal data transferred outside the European Economic Area (EEA).

The CJEU ruled on both Privacy Shield and SCCs in their judgement of 16 July 2020. They concluded in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18, “Schrems II”), that Privacy Shield is invalid but affirmed SCCs’ validity.

The background which led to this CJEU judgement goes back many years and involves Maximillian Schrems, an Austrian activist and author. In 2013, Schrems filed a complaint against Facebook Ireland Ltd with the Irish Data Protection Commissioner seeking to stop Facebook transferring personal data from Ireland to the US. Schrems’ complaint related to Facebook’s alleged involvement in the ‘PRISM’ surveillance programme.

The ODPA emphasises that the CJEU’s judgement:

• highlights the crucial role of privacy protections;
• emphasises that these protections must travel with data;
• relates to all non-EEA and non-‘adequate’ jurisdictions, not just the US;
• and that these types of data transfers cannot be a tick-box exercise.

The Bailiwick is currently recognised by the European Commission as an adequate jurisdiction for the purposes of the General Data Protection Regulation (GDPR). This means that personal data can flow freely between the Bailiwick and the EEA.

The ODPA is keen to provide clear and consistent advice and support to local organisations. This multi-layered and complex judgement requires analysis and guidance. The European Data Protection Board (EDPB) have published an early statement indicating that further guidance will be published in due course which will provide clarification and support consistency.

In the meantime, considering the immediate effect of Privacy Shield being invalid, any local organisations that may be affected should do the following:

1. Identify if you have been relying on the EU-US Privacy Shield for data transfers. You will need to check the terms of service, contracts or Privacy Statements for all third parties you may use to process your data (e.g. Eventbrite, Facebook, MailChimp, LinkedIn, Twitter, Instagram, Basecamp, Slack etc.)
2. If you find that you have been relying on Privacy Shield you must work towards an alternative. Please refer to sections 56, 57 and 59 of The Data Protection (Bailiwick of Guernsey) Law, 2017 for details of data transfer requirements.
3. If you are relying on Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), you must comprehensively review them and ensure they accurately reflect detailed consideration of risks and safeguards. Whilst the CJEU judgement recognises SCCs as valid, it also raises significant questions around their use. It is clear that relying on ‘derogations’ (such as SCCs or BCRs) in light of this judgement is no longer a straightforward matter and reliance upon any mechanisms cannot be a paper exercise.
4. Whilst this judgement does not prohibit data transfers outside of the EEA and adequate jurisdictions, you do need to carefully review your position and invest resources into ensuring appropriate safeguards are in place.

• Read Court of Justice of the European Union Judgement (Case C-311/18 - Data Protection Commissioner v Facebook Ireland and Maximillian Schrems).
• Read European Data Protection Board (EDPB) statement
• Read EDPB's Frequently Asked Questions about the judgement