From 16 July 2020 it became immediately unlawful to transfer personal data outside of the EEA to the US by relying on a Privacy Shield as a guarantee of compliance with relevant EU data protection laws.
This article explains what employers must now do if they need to continue to share personal data with United States, and to other third countries (countries and states other than the EU member states, Norway, Liechtenstein and Iceland).
Fundamental rights of data subjects
The European Court of Justice ruled in the Schrems II case that the Privacy Shield could no longer be used to guarantee an appropriate level of data protection because of the level of interference US law permitted with the fundamental rights of data subjects.
Therefore, from 16 July 2020 it became immediately unlawful to transfer personal data outside of the EEA to the US by relying on a Privacy Shield as a guarantee of compliance with relevant EU data protection laws.
Brexit: does this apply to the UK now it has left the EU?
Yes. The impact of Brexit means that the UK has become a ‘third country’. However, the GDPR has been written into UK law creating what is referred to as the ‘UK GDPR’. This generally means that employers must continue to comply in the same way they were required to before Brexit. Therefore, if a US company cannot evidence it will protect the data of EU citizens and those individuals protected by the GDPR, then a UK company should stop sharing this data immediately – unless other acceptable tools or measures are put in place.
Possible tools other than the Privacy Shield
The European Data Protection Board (EDPB) will assess the impact this judgement has on other transfer tools available. Other tools must reach a standard described as ‘essential equivalence’ (to the requirements of the GDPR) before they may be regarded as an appropriate safeguard for personal data transfer.
How to protect data sent to the US and to other third countries
In the meantime, those sharing data with the US may instead implement Standard Contractual Clauses (SCCs), or Binding Corporate Rules (BCRs) if appropriate for large organisations, to continue to transfer data to the US (and internationally). However, having these clauses in place will not be enough on their own.
Organisations should each conduct a risk assessment in respect of the personal data they transfer, taking into account both the circumstances of the transfer and any supplementary measures that could be put in place.
Once they are satisfied that the SCCs (or BCRs), mitigated risks, and any supplementary measures, will achieve an adequate level of protection compliant with the GDPR, they should then ensure that US law does not impinge on this level of protection.
If an organisation assesses the circumstances of the transfer and the potential supplementary measures and considers that an appropriate level of protection would not be achieved, then any data transfers must be suspended or brought to an end. If they intend to continue to transfer the data anyway, they must notify the Information Commissioner’s Office (if they are based in the UK).
The same level of requirement applies not only to the US, but to any third country. Ultimately, it has been deemed that it is the responsibility of the organisations who send and receive data to put appropriate safeguards in place and to determine whether the protection required by EU law is respected in the that third country (and therefore whether the SCCs or BCRs can realistically be complied with in practice). The receiver of the data can support the sender with this.
‘Consent’ and ‘performance of a contract’ – why employers may not rely on these to send personal data internationally
The GDPR does also makes provisions for data to be transferred internationally when either the data subject has given consent or when the data is needed for the performance of a contract between the data controller and the data subject. However, it is highly unlikely employers will ever be able to rely on these options. This is because employees are rarely able to freely give consent due to the nature of the relationship with the employer and with regards to the performance of a contract, the data transfer should only ever be ‘occasional’.
For more information and free templates for standard contractual clauses, visit the Information Commissioner’s (ICO) web page Standard Contractual Clauses (SCCs) after the transition period ends.
HR Solutions are here to provide businesses and employers with support and advice on any employment related issues; to find out more contact us online or call us on 0844 324 5840.