CJEU invalidates EU-US Privacy shield

On the 16th July 2020, the Court of Justice of the European Union (CJEU) issued its decision invalidating the EU-US Privacy Shield framework. The CJEU ruled that the Privacy Shield framework is inadequate and incompatible with the personal data protection intended to be afforded by the General Data Protection Regulation (GDPR).

Therefore, if your company relies on the Privacy Shield framework for personal data transfer from the EU, you need to take immediate steps to adopt a replacement mechanism for data transfer such as the Standard Contractual Clauses (SCC).

Background

The Privacy Shield was an agreement negotiated in 2016 between the European Commission, the US Department of Commerce and Switzerland to provide a mechanism for companies to transfer data from the EU and Switzerland to the United States. Under the Privacy Shield companies could self-certify that the necessary safeguards have been put in place for the protection of transatlantic transfers of personal data. The Privacy Shield subsequently received approval from the European Commission in the form of aadequacy decision in July 2016. The adoption of this decision meant that the EU-US Privacy shield offered an adequate level of protection for personal data.

After its adoption, a group of European privacy activists quickly filed a legal challenge to the Privacy shield as they argued that it failed to uphold fundamental EU rights. At the same time, an Austrian privacy activist, launched a judicial process in Ireland against the Standard Contractual Clauses (SCC) as he considered that they did not prevent the US Intelligence Services from claiming its personal data transferred to US Companies. The Standard Contractual Clauses (SCC) are a set of model contractual terms that can be used between EU-based data exporters and non-EU based data importers and are commonly used for the transfer of personal data outside the EU. The clauses predate the GDPR and have not been updated since the GDPR came into force in 2018.

The Ruling

The CJEU concluded that US law enforcement agencies have wide-ranging access to personal data that are received by Privacy Shield-certified entities in the U.S., and that such access is not subject to equivalent protections to those that exist under EU law. In particular, the CJEU found that access to transferred data by US law enforcement agencies is not subject to the principle of proportionality and is not limited to what is strictly necessary. The CJEU also held that there is no mechanism that enables individuals to bring complaints about the processing of their personal data in a manner equivalent to the rights that exist under EU law. Accordingly, the adequacy decision from 2016 was invalidated and the EU-US Privacy Shield cannot longer be usedfor transatlantic data transfers.

The CJEU also examined the validity of Standard Contractual Clauses (SCC). The CJEU ruled the SCCs are valid. However, the CJEU underlined that a correct application of the SCCs require the parties to assess whether they can comply with their respective obligations under the SCCs in the light of the data protection laws in the country where the data recipient is established. Supervisory authorities are required to stop or prohibit such transfer to a third country where the SCCs are not or cannot be complied with.

Aftermath and next steps
The ruling means that business in the EU will no longer be able to transfer personal data to a recipient in the US in reliance on the Privacy Shield framework. The use of alternative methods for data transfers requires a legal assessment at company level. The most common alternative transfer mechanism is likely to be the Standard Contractual Clauses. However, companies need to ensure that their use is justified in the light of the CJEU ruling. Other possible data transfer mechanisms such as the derogations under Art.49 of the GDPR or Binding Corporate Rules (BCRs) could also be used on case-by-case basis. 
 
The European Commission has indicated that they still need to further study the judgement and that they are discussing with the US about the way forward. Regarding the Standard Contractual Clauses, the Commission has reaffirmed its intention to start working on its modernisation as planned under the GDPR evaluation report.