The invalidation of the EU-US data-protection agreement could have major ramifications for UK organisations’ legal responsibilities
The government has said that it is working with the Information Commissioner’s Office to provide advice “as soon as possible” on what the end of the EU-US Privacy Shield agreement means for UK organisations and their data-protection responsibilities.
Since 2016, the conditions set out in the Privacy Shield arrangement have ensured the lawful transfer of personal data between the US and the European Union. The agreement requires US data processors to self-certify their compliance, and binds them to certain conditions and obligations.
Privacy Shield came into effect in 2016, replacing the Safe Harbor agreement – which had invalidated by the Court of Justice following a legal challenge led by Austrian privacy activist Max Schrems.
This month, announcing its decision in the case known as ‘Schrems II’, the CJEU found that Privacy Shield is now also invalid.
Although they can no longer rely on Privacy Shield as confirming a lawful basis for sharing personal data across the Atlantic, EU organisations have been advised that they may be able to rely on standard contractual clauses (SCCs) in their agreements with the data processor in question.
But this may not always be the case and, according to the ICO, UK organisations “must conduct a risk assessment as to whether SCCs provide enough protection within the local legal framework – whether the transfer is to the US or elsewhere”.
“The receiver of the data may be able to assist you with this,” the regulator added. “Supervisory authorities have an important role to play in the oversight of international transfers. We are therefore taking the time to consider carefully what this means in practice. We will continue to apply a risk-based and proportionate approach in accordance with our regulatory action policy. The ICO understands the many challenges UK businesses are facing at the present time and we will continue to provide practical and pragmatic advice and support.”
Minister for media and data John Whittingdale said: “The UK government is working with the Information Commissioner’s Office and international counterparts on the implications of the judgment and to update guidance on international data transfers as soon as possible.”
Responding to a written parliamentary question from Labour MP Chi Onwurah, the minister added that, once the country leaves the EU, the UK will be responsible for taking its own measures to ensure that data is transferred overseas lawfully.
“During the transition period the CJEU’s decisions are binding on the UK,” he said. “From the end of the transition period, the UK will be responsible for the means by which personal data may be lawfully transferred to countries outside of the UK, including adequacy decisions and alternative transfer mechanisms.”