The decision of the European Court of Justice in Case C-311/18 – Data Protection Commissioner v Facebook Ireland and Maximillian Schrems struck down the EU-US Privacy Shield with immediate effect. This caused gasps of horror in the data protection world and more widely as people realised just how significant this judgement was and just how often the Privacy Shield was the mechanism under which personal data was being transferred to the US. Initial articles on the subject sometimes mentioned using Standard Contractual Clauses (SCCs) instead as they appeared to have survived the Court’s scrutiny. Then there was the slow recognition that there were serious question marks over the use of SCCs as US law does not ensure an equivalent level of protection for personal data.

Such were the repercussions of the judgement and the many questions being asked that on 23 July the EDPB (European Data Protection Board) adopted a set of Frequently Asked Questions (FAQ). These are helpful to a point but by no means provide any real answer to the problems caused by the judgment. What is most interesting is the stark contrast between the EDPB’s approach and that of the ICO. The EDPB FAQ document says of the Privacy Shield, ‘Transfers on the basis of this legal framework are illegal’.  However, a visit to the Privacy Shield page of the ICO website reveals a statement as follows:

‘We are currently reviewing our Privacy Shield guidance after the judgment issued by the European Court of Justice on Thursday 16 July 2020.If you are currently using Privacy Shield please continue to do so until new guidance becomes available. Please do not start to use Privacy Shield during this period’

However, continuing to use the Privacy Shield carries risks, even if one assumes that there is no risk of ICO enforcement while the ICO statement remains as above. For example, individuals could bring claims for compensation.  The ICO has not mentioned this but the Berlin Data Protection Authority has referred to it in a press release (which is only available in German) and has also told organisations in Berlin to shift their data storage from the US back to Europe.

IMPORTANT UPDATE: On 27th July 2020, the ICO changed its statement on its website to read:

‘The judgment in the Schrems II case issued by the European Court of Justice on Thursday 16 July 2020 found that Privacy Shield is no longer a valid way to transfer personal data outside of the EEA. For more information please read our latest statement.’

This statement brought it into line with the EDPB.