The Court of Justice of the European Union (CJEU) has issued a ruling which has the effect of invalidating the US-EU Privacy Shield, an agreement between the EU and the US which facilitates the exchange of personal data.
The ruling also examined alternative transfer mechanisms such as Standard Contractual Clauses (SCC’s) and Binding Corporate Rules (BCRs). These mechanisms allow for the transfer of personal data outside the EEA beyond the EU’s adequacy framework. The CJEU upheld the validity of the alternative transfer mechanisms.
The Scherms II ruling is hugely significant and will create a large amount of uncertainty for companies which transfer data between the US and the EEA.
During the transition period the UK is bound by this ruling and therefore UK companies which make use of the Privacy Shield Agreement will be affected.
The court’s upholding of alternative transfer mechanisms such as Standard Contractual Clauses (SCC’s) and Binding Corporate Rules (BCR’s) is welcome.
Many larger companies already have invested in putting these mechanisms in place and the fact that they have been upheld means that their operations will not be immediately impacted by this ruling.
The immediate impact of this ruling is more likely to be felt by smaller firms on both sides of the Atlantic that rely upon the Privacy Shield as a legal basis for their data transfers. Depending on how the European Commission responds to the ruling they will likely have to move very fast to put alternative mechanisms in place to continue to exchange personal data between the EU and US.
This ruling will also have significant implications for the UK as it seeks to develop its own framework of agreements to enable data flows with both the EU and the US. To a large extent these will now be dependent upon the outcome of further negotiations between to the EU and the US as well as the substance of the UK EU adequacy assessment.
International data flows are a fundamental enabler of international trade and it is in the interests of both the US and EU to develop a sustainable regulatory environment which promotes business, innovation and trade whilst protecting data privacy.
We welcome the statement from the US Department of Commerce yesterday to review privacy safeguards for European data if the Privacy Shield were to be struck down.
techUK would like to see a similar commitment from the European Commission to get back round to the negotiating table to find a solution to this important issue. The European Commission could help small business in Europe by providing certainty in the near term through a ‘grace period’ for Privacy Shield similar to what was put in place after Safe Harbor was struck down.
Julian David CEO of techUK said:
“Today’s ruling will create a significant amount of uncertainty particularly for smaller US, UK and EU firms.
Now is the time for cool heads on both sides of the Atlantic. The focus now must be on providing certainty in the near term through a grace period and quickly returning to the negotiating table to build a durable and sustainable solution, creating a dependable regulatory environment for the transfer of data that can support business, innovation and trade”.
This is the second time a data sharing regime between the EU and the US has been struck down by the CJEU in less than five years, following the striking down of the Safe Harbor agreement in 2015.