Data Protection: EU-US Privacy Shield declared invalid

Gordon Kerr - EuRA's Strategic Consultant for Legal Services updates us on the impact of the new EU Ruling

The European Court of Justice (ECJ) ruled, on 16th July, that the EU-US Privacy Shield is invalid.  The Privacy Shield was introduced in 2015, following agreement between the European Commission and the US Government, and allows businesses to move personal data freely from EU countries to the United States.  The now illegal agreement is used by tech giants such as Facebook, Google and Amazon, as well as by almost every large company in the EU, for their transatlantic data transfers.  In the context of the relocation industry, most US-headquartered relocation companies use their Privacy Shield accreditation to allow personal data on assignees and transferees to be held in central servers located in the US.

The ECJ’s reason for the decision is that the privacy rights of EU citizens are not adequately protected when their personal data is transferred to the US under the Privacy Shield.  There has been a long-running argument, led by European privacy activists, about American national security and surveillance policies, which allow US security agencies greater access to personal data than that allowed in EU countries.

So, what does this mean for relocation businesses?  Unfortunately, there is bound to be some disruption, as RMCs which have relied on Privacy Shield accreditation, now need to put in place alternative legal wording in all contracts which cover data transfers to the US.  European DSPs can expect to see a flurry of requests for contract amendments to be signed.  In legal terms, RMCs will be incorporating EU “Standard Contractual Clauses” into their service contracts with clients and suppliers.

It seems likely that companies will be given a period of grace to sort out these new contractual arrangements and it is theoretically possible that the EU Commission and US Government could agree a new form of Privacy Shield which satisfies the ECJ’s objections.  But the US is hardly likely to reform its national security and surveillance legislation in pursuit of an EU data transfer agreement, so it is difficult to imagine what a new agreement could look like.

The fall of the Privacy Shield also complicates an already difficult process for the UK in seeking a “data adequacy” decision from the EU before the Brexit transition period ends on 31st December.  If the UK is not formally recognised by the EU as a safe haven for data transfers, there could be huge disruption to EU-UK data flows from January 2021.  

This legal decision has the potential to create admin headaches for businesses across our industry.  When the full implications of the decision have been digested by national data protection authorities, we should see specific recommendations emerging on the best way forward for international businesses. 

Eura will monitor these developments and keep members up to date on new “best practices” for managing data transfers."