CJEU invalidates the Privacy Shield: implications for EU-US personal data transfers

For an outlook of the latest development as at July 2023 in relation to transfers to the US, please read our article about the New EU adequacy decision allowing personal data transfers to US self-certified entities!

This case marks one episode in a succession of rulings opposing the privacy rights of activist Maximilian Schrems to Facebook Inc. For more information, regarding the hearing leading towards last week's ruling click here.

This case is not only about the invalidation of the EU-US Privacy Shield but also has an impact on the manner in which EU standard contractual clauses may have to be implemented in the future.

Since May 2018, the General Data Protection Regulation (EU) 2016/679 of 27 April 2016 ("GDPR") has set new standards in terms of data protection. Pursuant to the GDPR, personal data cannot,in principle, be transferred to recipients outside of the European Union (“EU”) except if (i) there is a decision by the European Commission certifying that the destination country offers an adequate level of data protection (Article 45 GDPR) or, failing this, (ii) appropriate safeguards are in place such as SCCs or binding corporate rules (Article 46 and 47 GDPR) or, failing this, (iii) certain limited derogations can be relied upon in specific situations (Article 49 GDPR). Orders and requests from courts and law enforcement agencies of a country outside of the EU requiring transfers of personal data are only valid if based on an international agreement such as a mutual legal assistance treaty (Article 48 GDPR).

Transfers to the Unites States of America (“US”) were covered by an adequacy decision benefiting solely entities who self-adhered to the EU-US Privacy Shield Framework and were therefore listed on the dedicated website of the US Department of Commerce (with which the European Commission negotiated that international mechanism).

On 16 July 2020, the Court of Justice of the European Union ("CJEU") ruled on Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems ("Schrems II") invalidating the EU-US Privacy Shield Framework. The CJEU found that the EU-US Privacy Shield does not provide sufficient guarantees to data subjects, as required by EU law. 

On the other hand, the CJEU reaffirmed the validity of EU standard contractual clauses ("SCCs"). While the latter were declared valid, data exporters (possibly with the assistance of the data importer) would, however, be responsible for assessing whether the legal standards in the country of the data importer allow meeting a level of data protection equivalent to that existing in the EU. Where those standards are not met, organisations must provide additional safeguards or suspend the transfer of personal data.

One day after the ruling, the European Data Protection Board ("EDPB") released a statement (available here) welcoming the decision and confirming the responsibility of data exporters and importers in assessing the level of data protection standards in receiving countries by taking into account the content of the SCCs, the specific circumstances of the transfer, as well as the legal regime in the importer’s country.If, according to such an assessment, the local laws do not allow the data importer to comply with its contractual obligations under the SCCs, the data exporters might be required to put in place additional measures to those included in the SCCs to meet an equivalent level of data protection. The EDPB added it “will assess the judgment in more detail and provide further clarification for stakeholders and guidance on the use of instruments for the transfer of personal data to third countries pursuant to the judgment”, to ensure consistency across the EEA.

The particular nature of those additional requirements will still require clarification in the near future. However, for now, it is certain that the ruling of Schrems II will prompt organisations to review the basis for their data transfers and adapt their related data protection documentation (such as their arrangements with data importers, including in particular in the US).

On the practical implications of the judgement on businesses, US Secretary of Commerce, Wilbur Ross, said “We have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments. Data flows are essential not just to tech companies – but to businesses of all sizes in every sector” (full statement available here).

Timeline of Schrems II:

CJEU invalidates the Privacy Shield - Timeline