Home Insight UK and US data transfers ruled invalid by the EU

At the end of July 2020, the Court of Justice of the European Union (CJEU) ruled that the EU-US Privacy Shield agreement is “invalid”, making it considerably harder for companies to transfer personal data across the Atlantic. Since the UK is still subject to EU laws, this has an immediate impact on UK businesses, and will change the future data landscape for data transfer negotiations the UK holds with the US and the EU.

[Read: Brexit and UK data]

EU US Privacy Shield Inavlid CJEU

With data being one of the most valuable resources in the world, this significant change to data transfer laws is going to affect a lot of businesses.

What was the Privacy Shield

The EU-US Privacy Shield was introduced in 2016 to facilitate the transfer of personal data by companies between the EU and the US, and since its introduction it has been used by a lot of companies – from SMEs to household names – to allow them to have a cross-Atlantic data network.

Since the UK only left the EU at the start of 2020 (and are still subject to their laws until the end of 2020) plenty of UK companies have also been making use of the Privacy Shield to transfer data to and from the US, and will be impacted by this ruling.

What happens with data transfers now?

Since the CJEU has ruled the US is a non-adequate country to be transferred EU data, companies who regularly transfer data to the US from the EU will need to review and change their processes. And there is the significant risk that the US will retaliate in some way and prevent US data being sent to the EU and the UK.

It’s currently unclear whether the European Commission will allow a grace period for companies to prepare for the removal of the privacy shield. When Safe Harbour* was removed, the Commission did grant a grace period, which allowed companies to continue their existing data transfers while they put in new legal systems to facilitate future transfers.

*Safe Harbour was the preview EU-US data transfer agreement

This grace period is most important for SMEs and other small businesses who don’t have the same resources as global corporations to put alternative data transfer systems in place. Without it, a lot of companies (including those in the UK) might have to pause data transfers until they configure a new legally compliant way of moving data from the EU to the US.

Long term options for UK SMEs

Multi-national businesses always have the option to set up data storage facilities in the US for US data, and in the EU for EU data, allowing them to effectively sidestep these issues. Many small companies are unable to afford this setup, so UK SMEs will need to quickly figure out what a new legal basis by which they can transfer their data to and from the US.

The Scherms II ruling (the court case this Privacy Shield decision is a part of) has upheld the validity of two alternate data transfer mechanisms: SCCs and BCRs. If you need to continue your data transfers to and from the US, these will give you the legal validity to do so.

Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) are alternative processes that provide companies with the legal permission to transfer personal data internationally when broader agreements (like Privacy Shield) don't apply.

However, it’s important to note that when the UK formally leaves the EU on the 31st December 2020, it will technically no longer be subject to EU laws, including Privacy Shield (assuming it’s still in place by then).

Since we were previously covered by the EU’s agreements, part of the Brexit process has been the Government negotiating with the rest of the world on data transfers, including those between UK and the US. In other words, you’re going to need to keep a careful eye on data transfer news for the next year, especially as the UK finishes the final stages of Brexit.

What are the next steps?

Without confirmation of whether there is going to be a grace period or not, it’s hard to gauge the urgency of the situation. Everyone will need to be watching the European Commission until they reach that decision.

Unfortunately, it is looking more likely that all companies will need to pursue SCCs or BCRs to be able to transfer data to the US, though a grace period (and better public knowledge of this ruling) would make this task much more achievable. Part of the current (and any future) data transfer mechanisms requires companies to have a secure and reliable system to store data on. If you’re unsure whether your current in-house IT systems meet that standard, you may want to consider transferring your servers to a secure data centre.

New call-to-action

4D Logo Thumbnail About 4D

Your trusted managed infrastructure partner.

We've built our reputation helping hundreds of organisations like yours leave behind reactive systems and processes while keeping pace with an ever-changing threat landscape. 

Our colocation, cloud, connectivity and security services are tailored to your exact business requirements, and we pride ourselves on staying up to date with the latest data policy changes so that we can advise our clients and provide them with flawless business continuity.

Operating since 2007, 4D Data Centres has won multiple awards and proven our reliability by never having a power outage and guaranteeing 99.999% network uptime.