The Court of Justice of the European Union (CJEU) has given judgment in the Schrems II case, holding that the EU-US Privacy Shield scheme that permitted transfers of personal data from the EU to third parties in the US that had signed up to the Privacy Shield does not provide sufficient protection and is therefore invalid. Below, we consider the implications of this decision for UK employers.
Legal backgroundAlthough the UK has technically left the EU, the EU General Data Protection Regulation (GDPR) has been incorporated by the UK into its domestic law and therefore continues to apply, even after Brexit. In addition, the UK remains bound by decisions of the CJEU that are issued during the post-Brexit transition period.
Safeguards for transferring personal data outside the EEA Shcrems II
The GDPR prohibits transfers of personal data to countries outside the EEA unless “appropriate safeguards” are in place or an exception applies, on the basis that those countries may not otherwise offer sufficient protections for personal data.
Accordingly, a UK company cannot transfer its employees’ or customers’ personal data to a third party outside the EEA, including another group company, except in certain tightly defined situations. This restriction may be relevant to UK employers in various scenarios, the most common being if they have an overseas parent company with which they are expected to share certain employee personal data, e.g. for the purposes of centralised HR management.
The “appropriate safeguards” that employers may rely on include:
- an “adequacy decision” issued by the European Commission confirming that the country in question provides an adequate level of protection for personal data. (The countries currently covered by adequacy decisions are Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland and Uruguay); or
- standard contractual clauses (SCCs) adopted by the European Commission for transfers outside the EEA, which can be entered into between the UK based employer and the third party outside the EEA; or
- binding corporate rules (a set of written rules and procedures governing the transfer of personal data between the entities in a corporate group, that has been approved by the national data protection authority in the EU country where the group is considered to be established).
EU-US Privacy Shield Scheme
The case stems from a long-running complaint brought to the Irish data protection authority by Max Schrems, an Austrian privacy campaigner and Facebook user, seeking to prevent Facebook Ireland from transferring his personal data to servers located in the US which belong to its parent company, Facebook Inc. Mr Schrems argued that US law did not sufficiently protect his personal data against access by the US public authorities. In 2015 the CJEU ruled that the predecessor to the Privacy Shield scheme (known as the EU-US Safe Harbor arrangement) was invalid (the Schrems I case).
In the aftermath of the Schrems I case, Facebook Ireland informed the Irish data protection authority that it had SCCs in place with Facebook Inc. to legitimise its personal data transfers to the US. The European Commission and the US Department of Commerce also devised the Privacy Shield scheme to give greater protections to personal data than the Safe Harbor arrangement had done.
Mr Schrems, however, was not content with either of these safeguard mechanisms and submitted a revised complaint to the Irish data protection authority, which referred questions to the CJEU, asking it to rule on the validity of SCCs and Privacy Shield.
The CJEU ruled that the Privacy Shield is invalid. It considered that the Privacy Shield did not sufficiently limit the rights of US public authorities to access and use EU personal data. In addition, the CJEU took the view that the right of an EU data subject whose data has been transferred under the Privacy Shield to make a complaint to a Privacy Shield Ombudsperson did not provide data subjects with equivalent protections to the GDPR.
The SCCs were found to be valid as a means of legitimising transfers of personal data to countries outside the EEA. However, the CJEU introduced some significant limitations to their use. An organisation seeking to rely on SCCs (a ‘data exporter’) must, according to the CJEU, satisfy itself that the laws of the country to which it is transferring personal data offer an appropriate level of protection of that data.
The CJEU also emphasised the responsibility of the data protection authorities in the EU to suspend or prohibit transfers of personal data to third countries under SCCs if they consider that deficiencies in the third country’s laws mean that it is no longer possible for data importers in that country to comply with the SCCs.
Implications for UK organisations that transfer personal data outside the EEA
It is not just transfers to the US that may require review. SCCs remain valid in principle. However, in order to achieve proper data protection compliance in practice, organisations must consider carefully whether the data protection regime that applies in each third country to which they transfer personal data in reliance on SCCs can offer an appropriate level of protection for that data.
Organisations will no doubt be hoping for constructive and practical guidance from the ICO to help them manage the impact of this decision on their international personal data transfers going forwards. For the moment, we suggest auditing what personal data you transfer outside the EEA, the purpose of the transfer and the nature of the safeguards relied on and waiting to see what further guidance is provided by the ICO.
Broader implications for the UK post-Brexit
Until the European Commission grants an adequacy decision, organisations in the EEA wishing to transfer personal data to recipients in the UK after the end of the transition period will likely need to rely on SCCs to do so.
How we can help
If you are not a Make UK member company, but are interested in accessing these resources, as well as our expert HR and employment law advice, please call us on 0808 168 5874, or email firstname.lastname@example.org.