End of the Privacy Shield – what could it mean to your business
I have been following with interest the progress of the ECJ review of the Privacy Shield agreement for the flow of personal data between the EU member states and the US.
As Brexit approaches, we all have to get our heads around changes in legislation regarding our relationship with Europe. And now there is a new challenge, as an article in WIRED UK magazine explains.
For the past 20 years, data has been allowed to flow freely between the EU and the US via a sharing agreement called the Privacy Shield. This data underpins digital trade and a great deal of economic activity, including emails, clinical trials and apps such as Zoom.
But an overnight change in policy about data transfer between the EU and the US has serious ramifications for the UK. On 16 July 2020, the European Court of Justice (ECJ) invalidated the Privacy Shield, citing concerns over whether the US was a safe haven for EU residents’ data.
So why does this concern us in Britain?
In the short period of time we have to secure a Brexit agreement, Britain has been trying to confirm that data could still move freely from the EU to the UK from 2021. It also wants unrestricted data transfer to the US, and it was hoped that a Privacy Shield-style system could be implemented.
The ECJ ruling invalidated this, which will not only cause delay and expense for thousands of US companies, but will impact on businesses here in the UK.
We can, as an alternative to the Privacy Shield, use Standard Contractual Clauses (SCC) but switching to this channel will mean extra bureaucracy and cost, and will affect start-ups and small enterprises the most.
The ECJ is not entirely happy with the SCC channel either and is insisting that the level of security is as high as within the EU. The worst-case scenario is that SCC could be invalidated to, too. For the time being though, the SCC remains a valid mechanism for transferring personal data outside of the EU albeit with additional requirements to undertake and document a positive risk assessment.
Whatever the outcome, there will be severe disruption to data flow between the EU-UK-US.
Osborne Clarke has published good guidance on what to do next. To access the guidance click here.