With the EU-U.S. Privacy Shield, the Court of Justice of the European Union (CJEU) has now overturned the second data protection deal between the EU and the U.S. However, the transfer of personal data to the U.S. and other third countries (i.e. outside the EU or the EEA) remains possible, provided that standard contractual clauses (SCCs) between the companies or organizations involved are agreed upon.
The CJEU wrote in a press release that it “invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield”, but “considers that Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries is valid”. Thus, the deal between the EU and the U.S. to transfer personal data becomes invalid.
The case that triggered this far-reaching decision is known as Schrems II. In a nutshell, Max Schrems, a privacy activist and lawyer, claimed that Facebook Ireland transfers and processes his personal data wholly or partially on servers of Facebook Inc., based in the U.S. In the complaint brought against the Irish supervisory authority, he argues that the U.S. does not provide a sufficient security mechanism to protect the transferred data. These transfers between Facebook Ireland and Facebook Inc. took place based on SCCs, which Schrems requested to suspend and prohibit. The Irish supervisory authority brought proceedings before the High Court to refer the questions to the CJEU for a preliminary ruling.
The British Information Commissioner’s Office (ICO) responded immediately with a statement:
“The ICO is considering the judgment from the European Court of Justice in the Schrems II case and its impact on international data transfers, which are vital for the global economy. We stand ready to support UK organisations and will be working with [the] UK Government and international agencies to ensure that global data flows may continue and that people’s personal data is protected.”
Standard Contractual Clauses remain valid
After the CJEU’s Advocate General (AG) published a non-legally binding opinion pleading for the validity of SCCs in December 2019, the CJEU affirmed his opinion in their judgement on 16 July 2020. The Court found that personal data may still be transferred from the EU to the U.S. and other third states based on SCCs. It concluded that the clauses agreed upon between the data exporter established in the EU and the recipient of the transfer established in a third country provide sufficient guarantees to ensure an equivalent level of protection as provided in the EU by the GDPR (General Data Protection Regulation).
Furthermore, the CJEU concluded that due to their contractual nature, SCCs do not bind the authorities of the third country to the clauses based on the type of personal data transferred. Still, authorities must ensure that effective mechanisms make it possible, in practice, to ensure compliance with the level of protection required by the GDPR and that transfers of personal data according to such clauses are suspended or prohibited in the event of the breach of such clauses or it being impossible to honour them. That means for European countries that it is not sufficient to only agree upon SCCs with companies in third countries, but it must also be assessed whether or not the receiving country can, in fact, provide adequate protection. Additionally, the recipient is required to inform the data exporter if it cannot fulfil the clauses agreed in the SCCs. In this situation, the data exporter must suspend the data transfers, and supervisory authorities may need to prohibit data transfers.
Privacy-Shield declared invalid
Next to the SCCs and Binding Corporate Rules, the EU-U.S. Privacy Shield served as an additional guarantee in the context of data transfers between the EU and the U.S. The CJEU decided on the EU-U.S. Privacy Shield, as it did in its famous Safe Harbor decision from 2015, that U.S. national security, public interest and law enforcement have primacy, therefore authorising U.S. authorities to interfere with the fundamental rights of persons whose data are transferred to that third country.
Specifically, the CJEU concluded that limitations in U.S. domestic law to protect personal data transferred from the EU from the access and use by U.S. public authorities are not substantially equivalent to those required under EU law, by principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.
Furthermore, the CJEU casts doubt that the Ombudsperson of the EU commission, to whom EU citizens can complain if they believe their privacy rights have been infringed upon by U.S. companies, is sufficiently independent. On those grounds, they question the Ombudsperson’s ability to protect EU citizens’ rights in that matter.
Similar to the aftermath of the decision of invalidity of the Safe Harbor agreement, the CJEU’s ruling on striking down the EU-U.S. Privacy Shield triggers uncertainty for companies and organisations that transfer personal data to the U.S. Companies and organisations that continue to rely on the EU-U.S. Privacy Shield for data transfers to the U.S. may have to fear fines according to the GDPR.
Furthermore, companies and organisations that have agreed upon SCCs with third countries now have to themselves review and ensure that the terms agreed upon are being observed, and if not, to draw the necessary conclusions.