The Information Commissioner's Office (ICO) is currently reviewing its Privacy Shield and Standard Contractual Clauses guidance following the judgment issued by the ECJ in the case of Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Case C-311/18) on Thursday 16 July 2020.
The EU-US Privacy Shield has provided the grounds by which US businesses can demonstrate that they meet the requirements of EU standards of data protection compliance, thus enabling EU organisations to transfer data into the US in compliance with EU law.
The ECJ has now ruled on the adequacy of the protection provided by the EU-US Privacy Shield, finding it invalid. The ECJ noted that the requirements of US national security, public interest and law enforcement have primacy and take precedence over any objections to the interference with the fundamental rights of individuals whose data are transferred to the US.
Businesses which currently rely on the EU-US Privacy Shield will now be faced with having to identify an alternative mechanism to transfer personal data to the US lawfully, such as transfers being subject to appropriate safeguards, transfers being lawful due to explicit consent being given, or transfers being necessary for the performance of a contract.
It is unclear whether there will be a grace period (as was the situation when the EU-US Safe Harbour arrangement was invalidated) to allow further time to set in place different safeguards, but further discussions between the EU and US are now envisaged.
The ICO's advice to organisations and others who are currently using the EU-US Privacy Shield framework when transferring data into the USA is to continue to do so until new ICO guidance becomes available. However, the ICO made it clear that organisations should not start to use the EU-US Privacy Shield during this period.