US Privacy Shield does not protect privacy – ECJ

Most readers will probably be aware that the Data Protection Act 2018 (DPA 2018), which is based on the EU GDPR, has at least one thing in common with previous regulations in that it is not permitted to transfer personal data out of the EU unless appropriate safeguards are in place. 

That represented a potential major headache for firms as much of the technology and software used by business had a US element in the shape of Microsoft and the other US firms that held and still hold a major global market share of all things IT.

The problem appeared to have been solved by the US Safe Harbor protocol until 2015, when the ECJ found in favour of an Austrian citizen, Max Schrems, who objected to his personal data being transferred to the US due to concerns over privacy standards in the US.

Following that decision, the EU and US reached agreement in 2016 that US firms adhering to the standards of the EU/US negotiated Privacy Shield would be considered an acceptable target for data transfer out of the EU. Now, another recent ECJ decision (July 2020) has declared the agreement invalid and struck down the Privacy Shield as sufficient protection for the personal data of EU citizens, again due to concerns over privacy standards. The case was raised by the same individual, Max Schrems! Mr Schrems’s case was partly prompted by leaks from ex-CIA contractor Edward Snowden which revealed the extent of US Government surveillance.

This decision is important for UK firms. According to the University College London’s European Institute, the EU-US Privacy Shield system “underpins transatlantic digital trade” for more than 5,300 companies representing transatlantic trade worth $7.1 trillion (£5.6tn). About 65% of them are small-medium enterprises (SMEs) or start-ups. 

Financial Services firms are potentially affected more severely than some other sectors because much of the sector relies on the processing of clients’ personal data. The Privacy Shield was a simple way in which firms could ensure compliance with the DPA 2018 if they use US derived IT or software in their business, as many, if not most, probably do.

What next?
There have been calls for a period of grace before any enforcement action based on the new situation is taken. It remains to be seen whether this will be granted. Meantime, the UK ICO has issued a statement on the ECJ decision which suggests that the data regulator does not intend to jump to enforcement:

“We are therefore taking the time to consider carefully what this means in practice. We will continue to apply a risk-based and proportionate approach in accordance with our Regulatory Action Policy.

The ICO understands the many challenges UK businesses are facing at the present time and we will continue to provide practical and pragmatic advice and support.”

So, it is largely a case of watch this space. However, data controllers still have the obligation to undertake adequate due diligence on any non-EU data destination and, with respect to US destinations, that just became a lot more difficult as a result of the striking down of the Privacy Shield agreement.

In the absence of Privacy Shield, affected companies will now have to sign “standard contractual clauses” (SCCs): non-negotiable legal contracts drawn up by Europe, which are used in other countries besides the US.

The good news is that these are already used by many big players. In particular, Microsoft has issued a statement saying it already uses them and so is unaffected by the ECJ ruling.

EU Withdrawal
For UK firms, this ruling is arguably not so problematic as it would first appear. The UK’s withdrawal from the EU meant that any Privacy Shield reliant contracts would have had to be reviewed anyway at the end of the transition period in December 2020. Their replacement by SCCs where required is probably a similar workload. And, given the amount of money involved, it is probably reasonable to expect all the major players involved with UK financial firms to follow Microsoft’s lead and put alternatives to the Privacy Shield in place.

Important Note: ATEB news is intended to provide general information ONLY. The content, including any views expressed or guidance provided, does not replace the need to comply fully with FCA Rules and Guidance. Unless you have discussed news article content with ATEB, and specifically how it relates to your circumstances, then ATEB disclaims all liability and responsibility and actions arising from any reliance placed upon it. For the avoidance of doubt therefore, any reliance you place on such information without our consultation is at your own risk.

ATEB Compliance offers compliance and regulatory advice.

ATEB Suitability provides report writing software for the financial services market.

Our View

This decision could have an impact on firms using outsourced or cloud services, or online tools such as back office systems and so on.

Firms should review any such services and satisfy themselves that the location of personal data is compliant following this change of situation. Another review will be needed after the BREXIT transition ends in December 2020 in light of whatever data agreements, if any, are put in place with the EU.

For our part, we can confirm that personal data we receive from firms, for example to undertake client file checks, is unaffected by the EU decision.

Action Required By You

  • Review any outsourced, cloud or online based services and identify whether the EU decision on Privacy Shield affects these;
  • Review again after BREXIT transition to identify any required action in light of any EU/UK data agreement;
  • Contact your usual ATEB Consultant for further assistance or contact ATEB directly.
CREATE BEAUTIFUL
SUITABILITY
REPORTS
TAKE BACK
CONTROL OF YOUR
SUITABILITY REPORT
PRODUCTION
SUITABILITY
REPORTS
WITH FULL
COMPLIANCE
CONFIDENCE
HANDS-ON COMPLIANCE
Helping you to implement solutions
FILE CHECKING
All business cases checked, including DB transfers
Section 166 and
Regulatory Reviews
Extensive S166 experience
Audits and
Health Checks
Need a regulatory check-up?
E-COMPLIANCE
A lighter touch support service
FCA Applications
We have completed hundreds
of Part IV applications
previous arrow
next arrow
Slider

About the Author

Technical Manager - Often referred to as the Oracle or the Sage, Alistair has a wealth of financial services experience. He is our go-to Technical Manager and enjoys nothing more than a complicated conundrum. Feel free to test his renowned knowledge by getting in touch.

Contact Us

Brought to you by

Explore more articles in this category

Other articles that you might be interested in