Schrems strikes again: EU-US Privacy Shield invalid, says CJEU
Details
This article has been updated since publication to include reference to the Information Commissioner’s Office updated statement following Schrems II.
The health and life sciences industry is operating on an increasingly global basis. The transfer of personal data across borders is often necessary to enable effective co-operation, development, and innovation, and to take advantage of the latest health technology. This includes apps, connected devices and data-driven services, the use of which is rapidly growing in both the NHS and private sector in the UK.
We see clients seeking to do work with international businesses including pharmaceutical and medical devices companies, suppliers of electronic patient record systems, and healthtech businesses in territories across the globe, seeking clarification of the steps they should take to ensure that any data transfer is undertaken lawfully.
The answer to this depends on the countries involved and requires consideration of not only the General Data Protection Regulation (GDPR), but also of decisions of the European Commission and Court of Justice of the EU (CJEU). The CJEU’s latest judgment on the point, Schrems II, has created further questions for those looking to transfer data to operators in the US and other countries. Where does this leave us?
International transfers – the basics
Transfer of personal data outside of the EU is restricted by the provisions of the GDPR. In general, the GDPR provides that data can only be transferred lawfully where consideration has been given to protecting data subjects from having their data compromised once it is no longer protected by the GDPR itself.
For present purposes, there are two key options for ensuring that this is the case including:
(i) The country in question is covered by an ‘adequacy decision’ by the European Commission – a finding by the European Commission that the legal framework in the country provides ‘adequate’ protection for data subjects; and/or
(ii) The data transfer agreement incorporates standard contractual clauses (SCCs) – model contractual clauses approved by the European Commission providing protection for data subjects.
These measures are designed to ensure that data subjects whose data is transferred outside of the EU have enforceable rights and effective legal remedies in the territory in which their data is being used.
Privacy shield and the Schrems II judgment
The Schrems II judgment (as well as its predecessor Schrems I) considers how, and if, data can lawfully be transferred to US organisations, given that the US is not covered by an adequacy decision.
Under Schrems I, the CJEU found a previous scheme (‘Safe Harbour’) to be invalid. Safe Harbour was therefore replaced by the EU-US Privacy Shield scheme and approved by the US Department of Commerce and the European Commission. But in Schrems II, the CJEU has struck again, finding Privacy Shield to also be invalid.
The key issue in both cases is that, in the US, organisations can be required to provide data to state agencies, particularly the FBI, NSA, and CIA to use in surveillance programmes. US citizens may be able to guard against this, but EU data subjects do not have rights against the US authorities in respect of those programmes and there is no ombudsperson mechanism to provide rights equivalent to those available under EU law.
Furthermore, the surveillance programmes in the US are not limited to what is strictly necessary, and consequently breach the EU principle of proportionality. Therefore, the CJEU found that Privacy Shield is invalid.
Ensuring lawful transfers to the US (or other territories lacking adequate protections)
To re-pose the questions at the start of this article, where does this leave organisations in the UK that wish to transfer personal data to US organisations to support their dealings with them, or more importantly, may already be doing so?
The first step is to undertake a stocktake of any situations in which personal data may be transferred to the US. Dealings with US operators are an obvious example; but less obvious examples may be UK/EU based suppliers who use sub-processors in the US, particularly services delivered through apps or ‘in the cloud’.
Where personal data does flow to the US, consider the compliance model currently in place, or intended to be put in place.
- If the compliance model did not rely on Privacy Shield then it may still stand.
- If the model did rely on Privacy Shield, then it will need to be replaced.
There is also the question of what to do about ongoing data transfers. An interim statement by the Information Commissioner’s Office (ICO) advised that current data flows under Privacy Shield could continue, but new ones should not be commenced. However this position has now been updated following a more detailed ICO statement accompanied by FAQs which now emphasise that data transfers relying on Privacy Shield were invalidated with immediate effect and an alternative basis for transfers should now be found, in the absence of which data transfers to the USA are illegal. The ICO is also expected to produce more substantive guidance in due course, at which point organisations will need to takes steps to conform to any new requirements. If the ICO follows the European Data Protection Board’s lead, there will be no regulatory ‘grace period’. It is therefore time well spent to identify existing arrangements which may need to be updated promptly in the near future.
In all instances, seeking legal advice on the risks and next steps is advised. While the option of replacing any Privacy Shield compliance models with one incorporating SCCs is the most attractive, questions are already being raised about how effective these can be given that they only have contractual force and will not therefore bind third parties, including in the US, the likes of the FBI, CIA and NSA. In light of that, this is another point on which guidance from the ICO will need to be considered once available.
