EU-US Privacy Shield no longer valid for GDPR purposes

Following the recent European Court of Justice case of Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Case C-311/18) EU:C:2020:559, the EU-US Privacy Shield can no longer be relied upon by those transferring the personal data of EU-based data subjects from an EU Member State to the US.

Under the EU General Data Protection Regulation (GDPR), EU personal data can only be transferred to a ‘third country’ (i.e. a non-EU country) if certain safeguards are in place. These include:

• An EU Commission adequacy decision that states that the existing data privacy laws of that ‘third country’ are already sufficient to protect the data transferred, meaning nothing further is required to transfer that data. This applies to countries such as New Zealand and Switzerland, but not the US.
• Standard contractual clauses, put in place by the Commission and entered into by two contracting entities, that ensure certain processes and procedures are in place between the entities transferring the data in order to protect it.
• Binding Corporate Rules can be implemented within a company that is transferring personal data between affiliated entities within and outside of the EU. These must be approved by the Commission.
• Transfers based on derogations for specific situations (such as where prior explicit consent has been obtained from the data subject or for the performance of a contract).

Prior to the Schrems ruling, economic operators could sign up to the US Privacy Shield in order to safely and compliantly transfer data to from the EU to the US. This is no longer the case.

Any entity currently utilising the protection of the US Privacy Shield for GDPR purposes must now therefore put other measures in place to ensure compliance.

At Redfern Legal, for EU to US transfers and for transfers to other countries not subject to an adequacy decision, we would usually recommend standard contractual clauses are entered into. The Schrems case confirmed that these are still valid and compliant for GDPR-purposes. Companies that choose to adopt the clauses must do so in their entirety, so must adapt their company practices to match the clauses. Data subjects must also have enforceable rights and effective legal remedies thereunder.

Please get in touch with us if you would like further advice to ensure you have the necessary documentation in place to remain GDPR compliant.

Madeleine Rhodes     email: mrhodes@redfernlegal.com