Court of Justice of the European Union overturns EU-US Privacy Shield
On 16 July 2020 the Court of Justice of the European Union (CJEU) invalidated the European Commission’s Implementing Decision on the EU-US Privacy Shield, without a transitional period, thus dealing a harsh blow to transatlantic data transfer.
In a no less sensational decision, the CJEU had already invalidated in 2015 the European Commission’s Implementing Decision on the predecessor to the EU-US Privacy Shield, the US/EU Safe Harbour Framework. Just a few months later, by a new Implementing Decision, the European Commission had certified the successor of the invalidated US/EU Safe Harbour Framework, the EU-US Privacy Shield, as having an adequate level of protection for the transfer of personal data to companies in the US. However, this successor was soon subject to strong criticism.
With the recent CJEU ruling on the invalidity of this new Implementing Decision on the EU-US Privacy Shield, transatlantic data transfer is now experiencing a disastrous déjà-vu situation. According to the CJEU, the US cannot be certified as having an adequate level of data protection due to a number of US authorities having administrative access powers and a lack of legal protection options in the US for EU citizens.
The CJEU also clarified in its ruling that the EU standard data protection clauses (or ‘standard contractual clauses’) often used in practice for international data transfers are not in themselves open to criticism.
At the same time, however, in its judgment, the CJEU makes it very clear that the competent supervisory authority is obliged to suspend or prohibit any transfer of personal data to a third country based on standard data protection clauses if, in the light of all the circumstances of that transfer, the authority considers that the clauses are not or cannot be complied with in that third country. Given the critical remarks made by the CJEU on the legal situation in the US, the question therefore arises as to whether supervisory authorities should prevent data transfers to the US even if these transfers are made on the basis of the standard contractual clauses and at the same time it is clear that the specific data importers in question are subject to US law, which makes it impossible for them to comply with the standard contractual clauses. The CJEU’s ruling thus ultimately calls into question the lawfulness of the transfer of personal data to the US on the basis of standard contractual clauses as a whole.
It remains to be seen how the European supervisory authorities will position themselves in this regard. In particular, the question arises as to whether the supervisory authorities will grant companies a certain grace period in order to adapt to the new legal situation. Following the CJEU’s Safe Harbour ruling, the data protection authorities had agreed at the time on a grace period of a few months.
Initial comments from the German authorities on the CJEU’s Privacy Shield ruling suggest that in the authorities’ view, data transfers to the US may still be permitted on the basis of standard contractual clauses, at least in individual cases. For the time being, however, the standard contractual clauses are overshadowed by the sword of Damocles of an administrative complaint or even the imposition of fines. It is to be hoped that the European supervisory authorities will quickly provide clarity on this issue.
In any case, for all transfers to third countries based on standard contractual clauses (i.e. not only to the US), data-exporting companies will no longer be able to review in detail which laws apply to the data importer in the intended third country of data transfer or to any other recipients, and whether these laws undermine the guarantees they provide when signing the standard contractual clauses. To this end, it will probably be essential to analyse the specific data exports in detail and to determine which third-country laws apply. As a result, concluding standard contractual clauses in practice is likely to require significantly more effort. Whether standard contractual clauses will remain a workable solution against this backdrop remains to be seen.
We therefore recommend in particular examining carefully whether other appropriate safeguards (Article 46 GDPR) or derogations (Article 49 GDPR) could be considered as alternative solutions for transfers to third countries rather than standard contractual clauses.
Further reading:
- CJEU – Press release of 16 July 2020 – The Court invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield
- CJEU – Judgment of 16 July 2020 – Case C311/18 — Data Protection Commissioner v Facebook Ireland Ltd (Schrems II)
- LfDI Rheinland-Pfalz – FAQs on the CJEU judgment of 16 July 2020 (C-311/18)