Most readers will probably be aware that the Data Protection Act 2018 (DPA 2018), which is based on the EU GDPR, has at least one thing in common with previous regulations in that it is not permitted to transfer personal data out of the EU unless appropriate safeguards are in place.
That represented a potential major headache for firms as much of the technology and software used by business had a US element in the shape of Microsoft and the other US firms that held and still hold a major global market share of all things IT.
The problem appeared to have been solved by the US Safe Harbor protocol until 2015, when the ECJ found in favour of an Austrian citizen, Max Schrems, who objected to his personal data being transferred to the US due to concerns over privacy standards in the US.
Following that decision, the EU and US reached agreement in 2016 that US firms adhering to the standards of the EU/US negotiated Privacy Shield would be considered an acceptable target for data transfer out of the EU. Now, another recent ECJ decision (July 2020) has declared the agreement invalid and struck down the Privacy Shield as sufficient protection for the personal data of EU citizens, again due to concerns over privacy standards. The case was raised by the same individual, Max Schrems! Mr Schrems’s case was partly prompted by leaks from ex-CIA contractor Edward Snowden which revealed the extent of US Government surveillance.
This decision is important for UK firms. According to the University College London’s European Institute, the EU-US Privacy Shield system “underpins transatlantic digital trade” for more than 5,300 companies representing transatlantic trade worth $7.1 trillion (£5.6tn). About 65% of them are small-medium enterprises (SMEs) or start-ups.
Financial Services firms are potentially affected more severely than some other sectors because much of the sector relies on the processing of clients’ personal data. The Privacy Shield was a simple way in which firms could ensure compliance with the DPA 2018 if they use US derived IT or software in their business, as many, if not most, probably do.
There have been calls for a period of grace before any enforcement action based on the new situation is taken. It remains to be seen whether this will be granted. Meantime, the UK ICO has issued a statement on the ECJ decision which suggests that the data regulator does not intend to jump to enforcement:
“We are therefore taking the time to consider carefully what this means in practice. We will continue to apply a risk-based and proportionate approach in accordance with our Regulatory Action Policy.
The ICO understands the many challenges UK businesses are facing at the present time and we will continue to provide practical and pragmatic advice and support.”
So, it is largely a case of watch this space. However, data controllers still have the obligation to undertake adequate due diligence on any non-EU data destination and, with respect to US destinations, that just became a lot more difficult as a result of the striking down of the Privacy Shield agreement.
In the absence of Privacy Shield, affected companies will now have to sign “standard contractual clauses” (SCCs): non-negotiable legal contracts drawn up by Europe, which are used in other countries besides the US.
The good news is that these are already used by many big players. In particular, Microsoft has issued a statement saying it already uses them and so is unaffected by the ECJ ruling.
For UK firms, this ruling is arguably not so problematic as it would first appear. The UK’s withdrawal from the EU meant that any Privacy Shield reliant contracts would have had to be reviewed anyway at the end of the transition period in December 2020. Their replacement by SCCs where required is probably a similar workload. And, given the amount of money involved, it is probably reasonable to expect all the major players involved with UK financial firms to follow Microsoft’s lead and put alternatives to the Privacy Shield in place.