Member Services

01 23 777 88

or complete our Contact Form


01 23 777 23

or complete our Contact Form


European Court Ruling on Data Transfers means big changes for GDPR & Privacy Shield

A recent European judgement means that data transfers outside of Europe (EEA) that currently rely on Privacy Shield are now invalid. The new ruling, which may also apply to data transfers to/from the UK at the end of the year, clarifies any transfer of data as ‘data processing’ and therefore covered by GDPR rules.

ICS Vice President and data protection expert Declan Brady offers his observations on the new ruling and what you need to do below.

Privacy Shield is dead. Get your data transfers sorted if they are outside of Europe (EEA) - that may include the UK very soon

In a nutshell, the judgement decided that:

  • the GDPR applies to the act of exporting data to a processor in another country i.e. that the transfer itself is processing;
  • any assessment of whether standard contractual clauses (“SCCs”) are sufficient to protect the rights and freedoms of data subjects when data is transferred to a third country must take into account both the clauses themselves and the relevant aspects of the legal system in that third country;
  • a supervisory authority is obliged to prohibit data transfers based on use of standard contractual clauses if, in its view, such clauses are not or cannot be complied with in the third country;
  • standard contractual clauses, of themselves, are otherwise a valid legal basis for the export of data;
  • Privacy Shield is not a valid legal basis for the export of data to the USA.

With both main parties to the case (Max Schrems and Facebook) claiming victory from the result, the devil, of course, is in the detail. In a nutshell, Privacy Shield is now dead and cannot be used, but SCCs can be, provided all the underlying conditions for use of SCCs are met.

What are the implications of all this?

Well, if – as a data controller – you are not exporting data outside of the EEA (directly or indirectly), then you need not worry about it (note that the UK is neither in the EU nor EEA, and that the transition period ends on December 31, at which point it may become a third country).

If you're not exporting data outside of the EEA, you need not worry

If you are transferring data to the USA, and you are relying on Privacy Shield as your basis, then this is no longer valid and you need to seek a different solution (see Art.46).

If you are transferring data to a third country (i.e. outside of the EEA), and you are relying on standard contractual clauses as your basis, then you need to re-evaluate whether your use of standard contractual clauses actually meets all the conditions that apply to them and apply to the transfer of data.

Does your use of SCCs meet all the conditions that must apply?

What should your next steps be?

Firstly, make sure you engage the right experts. The judgement covers a fair bit of ground over its 40+ pages, and requires a good understanding of various decisions and directives of the EU. The judgement also makes clear (if it was not clear before) that it is the data controller’s responsibility to ensure that appropriate safeguards are in place prior to the transfer of any data. While standard contractual clauses are affirmed as a valid basis, they are not sufficient in their own right. Other bases should be considered too, as potentially should other technical solutions.

Engage with the right experts, and consult with your business on the changed risk landscape

Next, you must consult with your business; the judgement shifts the risk landscape, and this needs to be considered; the risk arithmetic may have an impact on business and technical strategy. Different options will present themselves, and these need to be deliberated before presenting recommendations to the business leadership. Ensure that the risk evaluations, recommendations and decisions are appropriately documented.

Then develop your plan and take action. Because the judgement, while providing new clarity on Privacy Shield and standard contractual clauses, raises questions about other areas (for example, how will data controllers assess the third country legal context for adequate enforceability of standard contractual clauses?), it will be necessary to monitor advice from supervisory authorities across the EU as further clarity is sought. 

Take action, but monitor advice from Supervisory Authorities.

Article republished with kind permission from Declan Brady, ICS Vice President and data protection expert. Read his original post here.

Share this article!