logo text

Friday, 17 July 2020

Court Decision Affects How Businesses Transfer Data to the USA

The European Court of Justice (ECJ) has today delivered its verdict on a long-running case between Facebook Ireland and Max Schrems, an Austrian lawyer and privacy activist. For many businesses that transfer personal data from the EU to the USA, and indeed to many other jurisdictions outside the EU, this decision has fundamental impact.

Validity of Privacy Shield

The court decided that the EU–US Privacy Shield (Privacy Shield) was no longer valid, on the basis that the US regulatory regime does not adequately protect EU citizens’ data rights. US legislation allows US government agencies to have access to EU personal data, for example, when running surveillance programs. The court found that the USA offered inadequate protection of EU citizens’ rights, and no effective rights or legal remedy in the USA. Crikey! Any businesses relying on the Privacy Shield should look at their situation urgently, and decide how best to manage transfers from the UK/EU to the USA.

Validity of SCCs

The court also considered the validity of the EU’s standard contractual clauses (SCCs) for transfers of EU personal data outside the EU and made the following findings:

  • The SCCs were valid, but it was for the parties transferring the personal data to assess the adequacy of the regulatory regime in the non-EU jurisdiction (in particular, the recipient organisation must tell the data exporter whether the local laws allow it to comply with the SCCs!).
  • If the guarantees contained within the SCCs were not upheld, data protection regulators like the UK’s Information Commissioner’s Office (ICO) should suspend the data transfers that rely on them. 
Gulp! Businesses using the SCCs need to conduct a review of the local regulatory regime wherever they (or indeed their sub-contractors or their sub-contractor’s sub-contractors…) are processing their personal data.

This, of course, is not an easy task: European regulators take years to assess whether a country’s data protection regime is adequate!


If the court saw fit to invalidate the Privacy Shield on the grounds that the US regulatory regime offered inadequate protection, does that mean that any analysis of the US regime for the purposes of using the SCCs fails, too?

The Irish Data Protection Commission is certainly looking to explore that question. In its reaction to the court’s decision, it stated, “the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable.” The Hamburg Data Protection Commissioner has also offered many helpful observations.

However, it may take time to get a definitive answer: so far, we haven’t seen any guidance from the European Data Protection Board, and the ICO has only issued a preliminary holding statement.

The court kindly pointed out that there are other mechanisms for international transfers (such as where they are necessary for a contract, or based on the consent of each individual, etc.), but that is little help to businesses conducting large-scale, ongoing or regular transfers of personal data, or where consent simply isn’t practical (especially given that obtaining consent that complies with the General Data Protection Regulation (
GDPR) is itself a tricky task).

Our thoughts

The ECJ’s verdict is not unexpected, especially given ongoing criticism of the Privacy Shield by various EU bodies in recent months.

However, it is, of course, disappointing for the European Commission, who have to start again to find a new solution; for the affected US companies themselves; and for all those organisations who rely on services or business involving the USA.

So, what next? Well, before panic sets in, remember that we have been here before. Back in 2015, Max Schrems’ earlier legal challenge against Facebook Ireland led to the invalidation of the previous EUUS Safe Harbor Framework (the predecessor to the Privacy Shield). It wasn’t the end of the world then, and it is unlikely to be now.

In 2015, EU regulators were sympathetic in the aftermath of the decision, and gave organisations some time to put in place other compliance measures (mostly the SCCs). Almost immediately, work also began to craft a new EUUS-compliant mechanism, which evolved into the Privacy Shield. It is likely that similar approaches will follow over the coming months.

What is clear is that a better mechanism will be needed this time around, to avoid more legal challenge and uncertainty for businesses. It is likely that most organisations will now turn to SCCs for, at the very least, an interim solution.

However, those SCCs are not in great shape: they have yet to be updated for the GDPR and there are countless other issues with them, given how dated they are. New versions have been worked on for some time, so what next? Wait for new SCCs to be published (but risk non-compliance in the meantime) or scrabble around to put new terms in place ASAP, knowing they will need to be changed again before long? It’s not an easy decision to make!

Alternatives to SCCs

Organisations must bear in mind that they will now be expected to consider whether the data protection regime adequately protects the data rights of EU individuals in the USA, or any other jurisdiction outside the European Economic Area (EEA) with no adequacy decision, for that matter.

And lets remember: the UK comes out of the Brexit transition period on 1 January 2021. Businesses need to keep an eye on whether the EU will decide if the UK is an adequate jurisdiction and therefore whether the EU will enable free flows of personal data to the UK. As part of those developments, we will all need to monitor how UK data protection law evolves, once the UK has worked out how to take back control and retain a data protection regime that is sufficiently similar to the EU to enable businesses to continue free flows of personal data!

Now could be a good time to consider some alternatives to SCCs:
  • We’ve already received approaches in relation to whether binding corporate rules (BCRs) are the new golden ticket and need serious consideration now. We wonder whether BCRs will be worth the effort, though, if the USA can’t offer adequate protection to EU citizens without some serious changes to their regime.
  • What extra safeguards can you put in place in addition to the SCCs? Are there ways to bolster the SCCs themselves by adding clauses that go above and beyond the base set of provisions? Is there a way to limit the personal data being processed in the USA? Suppliers will make offers as quickly as the day of the ECJ’s verdict even – to offer fully contained EU data solutions that don’t depend on transfer to the USA at all.
  • Remember that there are other ways to transfer data internationally – particularly if you only send personal data occasionally or it’s for a specific contract with the individual (like a foreign hotel booking).

Next steps

Sadly, it’s time to pull the contracts out of the drawer – again.

We understand that there will be a lot of uncertainty in light of the judgment, so if you need any advice about your organisation’s approach to transferring personal data to and from the USA, or indeed other jurisdictions outside the EU, please don’t hesitate to contact us at Pritchetts for advice on next steps.

Wednesday, 22 April 2020

Coronavirus and data protection in the workplace: your questions answered

As the coronavirus pandemic has swept the globe, news reports have understandably tended to focus on the potential impact on the population both at home and at work, as well as the government’s response. However, as organisations grapple with how best to maintain their business operations while protecting their workforce, questions related to data protection continue to arise.

The UK data protection regulator, the Information Commissioner’s Office (“ICO”), is issuing guidance via its data protection and coronavirus information hub. It has also updated its regulatory strategy to reflect the changed environment, saying, “We recognise that the current reduction in organisations’ resources could impact their ability to comply with aspects of the law. We are committed to an empathetic and pragmatic approach, and will demonstrate this through our actions.” So, if you find that you need to redirect your usual efforts due to the current working constraints, this is a great time to get your house in order and tick off some of those data protection compliance jobs you’ve been saving for a rainy day.

As data protection experts, we thought it might be helpful to share our expertise and answer some common questions that we’ve encountered from our clients.

Q: We want to follow the government guidance for minimising the spread of coronavirus by enabling our staff to work from home. What data protection issues should we be aware of?

The security principle of the General Data Protection Regulation (“GDPR”) requires you to establish and maintain appropriate security measures to protect the personal data you hold. With information moving off-site, away from the security established at the workplace, these measures need careful review. 

If you don’t already have a policy to cover remote working, some items to consider are:
  • Is the device that will be used remotely and/or the data encrypted? If so, this is good news because the data should not be accessible without the encryption code. 
  • If encryption isn’t an option, is the data pseudonymised, i.e. has information been replaced/removed so that it no longer identifies an individual? 
  • Has access to personal email been blocked from work devices? 
  • Will the worker be using a secure private network rather than a public network on the remote device? 
  • Will the remote device and any accessories be stored securely when not in use, e.g. in a locked room or in a locked bag?
For more information, see the guidance from the National Cyber Security Centre and the ICO’s advice on working from home.

We have worked with many clients on creating various data protection policies including home-working, so please contact us if you would like our help with this.

Q: A major part of my job is responding to subject access requests and other individual rights requests. However, coronavirus has really disrupted our business, so I’ll struggle to meet the response times set out in the GDPR. Will my organisation get fined for non-compliance?

The ICO is the data protection body with the power to issue fines. It has reassured people that it won’t penalise organisations that need to prioritise other areas during these unprecedented times.

The timescales set out in the GDPR are enshrined in law, so they cannot be extended, but the ICO has committed to warning people that they may experience “understandable delays” in the progress of any information rights requests during the pandemic. Its updated regulatory strategy states, “Organisations should continue to report personal data breaches to us, without undue delay. This should be within 72 hours of the organisation becoming aware of the breach, though we acknowledge that the current crisis may impact this. We will assess these reports, taking an appropriately empathetic and proportionate approach.

Q: Some of our employees have informed us that they will be self-isolating because they are experiencing some symptoms of coronavirus. Are we allowed to pass on this info to other staff? How can we do this in a GDPR-compliant way?

Yes, as part of your duty of care to your staff, you should keep them informed about cases (whether possible or confirmed) of coronavirus in the organisation.

To do so in a GDPR-compliant way, there are three main elements of the GDPR to bear in mind:

  • The purpose limitation principle requires you to have specified the purposes that the data would be put to when you collected it and not process the data further in a way that is incompatible with those purposes. 
  • The data minimisation principle requires you to identify the minimum amount of personal data that you need to fulfil your purpose. In this example, think hard about whether you need to name the affected individuals and make sure that you don’t provide more information than is strictly necessary.
  • Health data is one of the special categories of personal data, which means that there are more stringent conditions in place for processing it. As with standard data, you must identify a lawful basis for processing under Article 6 of the GDPR, but you must also identify a separate condition for processing under Article 9.
Think carefully. Do you need to name the affected individuals? It’s unlikely. How much information do you need to provide? It’s probably less than you think. Be sensitive to the fact that, even if you do not name the person, it might be obvious who the individual is, given their role and/or the size of your organisation.

Q: We want to tell our customers how coronavirus will affect our business and their dealings with us. Are we allowed to do this, or will we be breaching marketing laws?

It depends on the thrust of your message. If you confine your communication to routine information about service interruptions, delivery arrangements, etc. brought on by the impact of the coronavirus pandemic on your business, this is unlikely to count as direct marketing and you could rely on legitimate interests as your basis for communicating.

However, if you include promotional material that, for example, is aimed at getting customers to buy extra products or services, the message would be classed as direct marketing and other rules would apply, in particular where you are sending emails or other electronic direct marketing messages. The ICO states, “You can still rely on legitimate interests for marketing activities if you can show that how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object – but only if you don’t need consent under PECR.” (The Privacy and Electronic Communications Regulations (“PECR”) sit alongside the GDPR and give people specific privacy rights in relation to electronic communications.) For more information, see the ICO’s Guide to PECR.

To be fully GDPR-compliant, don’t forget to document your decisions on legitimate interests. You still need to do this to meet the requirements of the GDPR’s accountability principle in terms of demonstrating compliance.

Q: Data protection is just one of our many worries, how on earth should I prioritise everything?

Here at Pritchetts, we’ve created a whizzy spreadsheet that helps organisations to track risks, prioritise them and document next steps. If you’d like a copy, please get in touch.

And finally…

Q: With schools closed, I’m trying to work from home at the same time as looking after my kids. Any tips?!

You’ll be needing a tip-top Internet connection, buckets of patience and coffee. Lots of coffee! Also, a space to retreat to when you just need a few minutes to yourself. Fortunately, there’s a wealth of online resources out there to help those of us in this brave new world:
Plus, dance, drawing, Minecraft and a whole lot more – all available for free! Best of luck!

If you have a question that you’d like us to include here, please get in touch and we’ll update the blog as soon as possible.