A recent joint announcement from the US and EU states a new Privacy Shield has been agreed in principle. This news will be a relief to many organisations responsible for the flow of personal data between the US and the EU.
Until 2020, Privacy Shield was the main mechanism under which personal data could be transferred between organisations in the EU and the US while complying with the EU’s data protection regime (specifically the General Data Protection Regulation, or GDPR).
However, in July 2020 the Court of Justice of the European Union ruled Privacy Shield invalid in the case of Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems (Schrems II). The court held the scheme was invalid because the US was unable to offer certain guarantees in order to protect data subjects’ rights.
Without the scheme, organisations have been forced to turn to other more cumbersome methods to legitimise data flows into/out of the US. The situation was further complicated by the UK’s withdrawal from the EU and recent issue of its own international data transfer mechanism (the ‘International Data Transfer Agreement’), and the EU’s release of updated data transfer precedent clauses (‘Standard Contractual Clauses’).
A clear, unambiguous and updated reissue of Privacy Shield has the potential to significantly ease data flows between the EU and the US. In particular, it may streamline data protection compliance where EU entities use US processors, such as Amazon Web Services or Microsoft cloud storage.
However, the announcement indicates that the US will be countering the issues raised in Schrems II with policy changes, rather than changes in law. It remains to be seen whether this will be enough to satisfy the European Courts – Max Shrems has already indicated his organisation will be considering the final text closely, and is prepared to take the matter to court again.
The scheme itself does not relate to the UK directly; however, it is likely to be indicative of the near future for UK data protection regulation. In particular, recent comments from the Department for Digital, Culture, Media and Sport show the government is eager to allow organisations more flexibility to expand data processing. A UK-specific version of a new Privacy Shield agreement would be a key cornerstone for such a move.
For more advice on the transfer of personal data overseas, please contact Alastair Turnbull or James Cassidy in the Information Law & Privacy Team.