A couple of clients have recently asked me for news about the Privacy Shield replacement, so I thought a general update would be helpful.
Background:
- Privacy Shield was declared invalid by the EU in July 2020 following the Schrems II case.
- In the Brexit transition agreements, the UK agreed to take the same stance as the EU and hence Privacy Shield was made invalid for transfers to and from the UK.
- There was a switch to relying on SCC’s (not watertight but the best that the ICO could recommend at the time).
- In March 2022 the EU and the US announced an in-principle agreement to implement Privacy Shield’s replacement called the EU-US Trans-Atlantic Data Privacy Framework; the details are being worked on before each member state will be asked to ratify it. The UK will naturally not be a party to this.
The UK has two options but nothing has been announced yet; we could either confirm an adequacy agreement with the US, or we could extend the new IDTA’s (SCC replacements) by adding an addendum for the US.
Naturally, we will be monitoring the situation and will share any updates; for clients where we act as the DPO or adviser, we will already have had conversations about this and its impact.