The Court of Justice of the European Union Questions the Validity of Personal Data Transfers Between the EU and the United States

In a groundbreaking decision issued by the Court of Justice of the European Union (CJEU) on July 16, 2020, the CJEU invalidated the EU-US Data Protection Shield and upheld the validity of the Standard Contractual Clauses, while raising questions about their application to the personal data transfers between the European Union and the United States.

The General Data Protection Regulation (GDPR) provides that personal data may be transferred outside of the European Economic Area only if the transferee country ensures an adequate level of protection of the data.  In the absence of the adequacy decision by the European Commission, data can only be transferred on the basis of one of several prescribed mechanisms.

The Standard Contractual Clauses (SCCs) incorporated into the contract between the exporter and importer of the data is the most widely used solution for organizations to facilitate cross-border data transfers in compliance with the GDPR.  According to a recent survey, about 88% of the companies rely on the SCCs.

The EU-US Privacy Shield, which was officially adopted in 2016 by the European Commission, is also a data transfer mechanism between the two regions.  More than 5,300 companies that transfer personal data to the United States rely on the Privacy Shield.

The Privacy Shield replaced the Safe Harbor data transfer framework which was invalidated by the CJEU in 2015 as a result of a legal challenge brought by privacy advocate Max Schrems stemming from transfers of his data from an Irish Facebook subsidiary to Facebook servers located in the United States (Schrems I). The CJEU found that the Safe Harbor lacked protection of fundamental rights “essentially equivalent” to that in the EU. Particularly, it found that the U.S. national security, public interest and law enforcement have been placed above the Safe Harbor principles.

Following the 2015 CJEU decision, Facebook sought to rely on the SCCs as the basis for the cross-border transfer of Schrems’s personal data.  Schrems, in turn, asserted that the SCCs could not justify the transfer to the United States given the potential for the U.S. government’s access to his data (Schrems II).  The High Court of Ireland referred the matter to the CJEU.

In a decision issued in Schrems II, the CJEU upheld that validity of the SCCs but held that data subjects whose personal data are transferred to a third country pursuant to the SCCs must also be afforded a level of protection essentially equivalent to that guaranteed within the EU by the GDPR.  “[T]he assessment of that level of protection must take into consideration . . .  the relevant aspects of the legal system of th[e] third country, as regards any access by the public authorities of that third country to the data transferred.”

The Court’s decision obligates a data exporter and a data importer to verify whether the necessary level of protection will be afforded to data subjects in the importer’s country in light of that country’s national security and surveillance laws.  If the recipient concludes that the necessary level of protection cannot be afforded, it must inform the exporter, and the exporter, in turn, must suspend the transfer.  If the data exporter itself does not suspended the transfer, the applicable data protection authority would be required to do so.

The Court further invalidated the European Commission’s adequacy decision underlying the EU-US Privacy Shield.  “In the view of the Court, the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country . . .  are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programs based on those provisions are not limited to what is strictly necessary. . . . [I]n respect of certain surveillance programs, those provisions do not indicate any limitations on the power they confer to implement those programs, or the existence of guarantees for potentially targeted non-US persons. The Court adds that, although those provisions lay down requirements with which the US authorities must comply when implementing the surveillance programs in question, the provisions do not grant data subjects actionable rights before the courts against the US authorities.”

The Court’s decision creates a great deal of uncertainty for companies transferring personal data between the European Union and the United States.  While the Court outright invalidated one of the existing transfer mechanisms – the Privacy Shield – its reasoning also questions the validity of the Standard Contractual Clauses as applied to the EU-US data transfers, as the Court already concluded that the US surveillance laws do not guarantee the level of protection essentially equivalent to that guaranteed by the EU law.

Ask Clarip today how we can solve your biggest privacy compliance pain points, Call Clarip at 1-888-252-5653