The Office of the Data Protection Authority in Guernsey (ODPA) has warned companies in the Bailiwick to be aware of the recent Court of Justice of the European Union (CJEU) judgment which affects all businesses who transfer personal data outside of the Bailiwick and the European Union (EU). In the CJEU judgment, ruled on 16 July 2020, the EU-US agreement for data transfers, which is known as the Privacy Shield, has been struck down. Consequently, Guernsey companies need to ensure they have proper safeguards around any data transfers they make that rely on the Privacy Shield. Affected companies will now have to sign EU Standard Contractual Clauses (SCCs), a set of terms and conditions organisations use to protect personal data transferred outside the European Economic Area (EEA). SCCs are already used by some companies, such as Microsoft, who have issued a statement saying that due to the use of SCCs they are unaffected by this judgment. However, as a result of this judgment, SCCs will be much more closely scrutinised.
The Privacy Shield is a data transfer mechanism, created four years ago between the EU and the United States of America (US), which thousands of companies had signed up to. This allowed companies to rely on the legal protection to authorise transatlantic transfers of EU users' data. However, the recent CJEU judgment, known as Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18, "Schrems II"), is a consequence of Maximillian Schrems, an Austrian activist and author, filing a complaint against Facebook Ireland Ltd with the Irish Data Protection Commissioner seeking to stop Facebook transferring personal data from Ireland to the US. Schrems' complaint related to Facebook's alleged involvement in the 'PRISM' surveillance programme and suggested that US national security laws did not adequately protect EU citizens.
In its news update of 24 July 2020, the ODPA emphasised that the CJEU's judgment:
- highlights the crucial role of privacy protections;
- emphasises that these protections must travel with data;
- relates to all non-EEA and non-'adequate' jurisdictions, not just the US; and
- that these types of data transfers cannot be a tick-box exercise.
The Bailiwick is currently recognised by the European Commission as an adequate jurisdiction for the purposes of the General Data Protection Regulation (GDPR). This means that personal data can flow freely between the Bailiwick and the EEA. The ODPA has suggested that considering the immediate effect of Privacy Shield being invalid, any Guernsey companies that may be affected should do the following:
- identify if they have been relying on the EU-US Privacy Shield for data transfers by checking the terms of service, contracts or privacy statements for all third parties used to process data (e.g. Eventbrite, Facebook, MailChimp, LinkedIn, Twitter, Instagram, Basecamp, Slack etc.);
- if they find that they have been relying on Privacy Shield they must work towards an alternative. Please refer to sections 56, 57 and 59 of The Data Protection (Bailiwick of Guernsey) Law, 2017 for details of data transfer requirements;
- if they are relying on SCCs or Binding Corporate Rules (BCRs), comprehensively review them and ensure they accurately reflect detailed consideration of risks and safeguards. Whilst the CJEU judgment recognises SCCs as valid, it also raises significant questions around their use. It is clear that relying on 'derogations' (such as SCCs or BCRs) in light of this judgment is no longer a straightforward matter and reliance upon any mechanisms cannot be a paper exercise; and
- whilst this judgment does not prohibit data transfers outside of the EEA and adequate jurisdictions, carefully review the position and invest resources into ensuring appropriate safeguards are in place.
There are no easy or quick solutions to the complexities of this judgment, but it highlights how crucial it is for controllers to ensure that they review their processing and any contracts that they may have with processors. It reminds us that real compliance cannot be a tick box exercise, it must be part of a carefully considered and holistic governance framework which, done well, will protect both individuals and organisations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.