16 Jul 2020
Today, the Court of Justice of the European Union (CJEU) announced its judgment in the case referred to as 'Schrems II' (Case C-311/18), declaring that the EU-U.S. Privacy Shield is invalid as it does not provide an adequate level of protection for the transfer of personal data from the European Union (EU) to the United States. It did however rule that standard contractual clauses (SCCs) for the transfer of personal data from the EU to countries outside the EU remain valid; also stating that companies relying on SCCs have several obligations to ensure compliance with EU data protection requirements.
A replacement for the Safe Harbor Framework, The Privacy Shield became operational in August 2016. Now, like its predecessor, a decision of the CJEO has rendered it invalid in the EU, primarily due to concerns over the access that U.S. intelligence agencies have to its (citizens') data.
So this seems to leave SCCs as the main option available to EU organisations. However, the Court highlighted that, relying on them, data controllers need to assess the level of data protection afforded by the country to which the personal data is being transferred (e.g. the USA). Specifically, data controllers must:
- collaborate with their data processors and data subjects to determine whether the data protection laws of the recipient country fail to provide adequate protection for data subjects
- take measures to compensate for any failings to supplement the protections afforded by the SCCs
- consider measures that include ensuring that data subjects have enforceable data subject rights and access to effective legal remedies
- suspend or end the transfer of personal data from the EU to the USA where the data controller or data processor cannot take such additional measures to guarantee adequate protection
Several countries outside of the EU (and probably the UK when it emerges from Brexit 'Transition') have recognised the EU SCCs or adopted model contract clauses similar to the EU SCCs as legal mechanisms for international personal data transfers. They may now require data controllers to conduct country-specific data protection law assessments and provide additional safeguards for any deficiencies revealed.
We can hope that this decision will lead to a change in U.S. surveillance laws or the monitoring practices of U.S. intelligence agencies, but realistically that is likely to be a long term process at best.
In the meantime, organisations must continue to ensure that their privacy practices and procedures comply with the requirements of EU (and UK) data protection laws when they implement alternate transfer methods.
Note for our clients
We have amended section 9 of our Privacy Notice to reflect these changes.
21 Jul 2020
We continue to operate successfully under coronavirus restrictions. We are still conducing all business 'remotely' and for the time being:
- we won't be making any client visits or otherwise meeting our clients face to face
- we will use technology to communicate with our clients; fitting in with their practices wherever possible
- we will inform clients of changes in the delivery of our services via the usual channels and by posting notices here - on the home page of our website
We wish all our clients well and hope that they, like us, are managing as well as they can under the circumstances.
19 May 2020
Easyjet has admitted to having its systems hacked in January 2020.
Apparently data relating to about nine million customers' has been compromised, but the airline has stated that "There is no evidence that any personal information of any nature has been misused, however, on the recommendation of the ICO, we are communicating with the approximately nine million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing."
Airlines have been in a difficult position ever since the COVID-19 pandemic struck and this can only add to Easyjet's problems. It can only be hoped that its customers are not affected adversely by this breach.