The USA has not been granted an Adequacy Decision by either the UK or the EU. Until 2020, the Privacy Shield scheme served to legitimise data transfers from the UK or EU to the USA, for organisations certified by Privacy Shield. However, following the much publicised Schrems II decision, the Privacy Shield scheme was ruled inadequate.
Now, the EU has seen a first decision issued for a related failure to comply with international transfer obligations. Following a complaint by NOYB (an organisation initiated by Max Schrems), the Austrian Data Protection Authority has issued a decision stating that a company’s use of Google Analytics (and thereby transfer of data to Google in the US) consisted of an unlawful data transfer. This was because the EU SCCs relied upon did not safeguard the transfer of personal data to the USA, due to the ability for US intelligence agencies to access the personal data.
We have already seen similar decisions emerge from the European Data Protection Supervisor and the French privacy regulator CNIL, and the Norwegian and Dutch Data Protection Authorities have indicated they may well take the same position as the Austrian Data Protection Authority in due course.
Whilst not applicable to the UK, these decisions further scrutinise US data transfers and are concerning for organisations transferring personal data to the USA. In order to maintain its adequacy status, the UK’s data protection regime must continue to be broadly equivalent to the EU’s. This would include alignment of the requirements for data transfers to third countries, such as the USA. As such, it may be that the UK is forced to adopt a similar approach.
In the meantime, these decisions are likely to lead to a much greater emphasis on renegotiating the Privacy Shield framework as a means to safeguard transatlantic data transfers.
For more information on this article, please contact Hannah Pettit.