EU–US Privacy Shield ruled invalid: what now?

16 July 2020 is likely to be remembered as the day the CJEU (Court of Justice of the European Union) invalidated the EU–US Privacy Shield Framework.

The CJEU handed down its judgement on Schrems II, in which it considered the validity of the EU–US Privacy Shield and SCCs (standard contractual clauses). This judgement will impact organisations that transfer personal data not only to the US but also outside of the European Union.

The Privacy Shield was adopted in 2015 as a way for organisations on both sides of the Atlantic to transfer personal data for commercial reasons.

It was created to address the failures of its predecessor, Safe Harbor, which was deemed invalid by the CJEU following legal action from the Austrian privacy activist Max Schrems (Schrems I). He was also responsible in bringing the latest action to court.

The in view Schrems II  was that US surveillance laws did not offer adequate protection for EU personal data, in particular, Facebook had shared EU personal data with the US National Security Agency.

The CJEU found the European Commission’s adequacy determination for the Privacy Shield was invalid for two main reasons:

(1) US surveillance laws are not limited to what is strictly necessary and proportionate as required by European data protection law, and

(2) data subjects did not have a right to an effective judicial remedy in respect of those US surveillance laws.

The court only considered the EU–US Privacy Shield, but it is likely the same fate will befall the Swiss–US Privacy Shield, although that is not certain at the moment.

Standard contractual clauses

The CJEU also considered the validity of SCCs and ruled that they are a valid mechanism for transferring data outside of the European Union.

However, their application has come under greater scrutiny. The court confirmed that SCCs will only serve as an appropriate mechanism for transferring personal data to third countries where that third country can ensure adequate protection of data.

This means organisations should assess the treatment of data in countries outside of the EEA (European Economic Area) or where there is no adequacy finding to ensure adequate protections are in place.

Organisations should assess the country’s legal system, its approach to data protection, its national security regime and enforceable remedies for data subjects. Assessments should be undertaken on a case-by-case basis before any data transfer takes place.

If adequate protections are not in place, organisations must provide additional safeguards or suspend transfers. The judgement has placed similar requirements on supervisory authorities to consider data transfers on a case-by-case basis and to prohibit or suspend transfers where data protection is not of an equivalent standard to that in the EU.

Organisations should now review all data transfers, understanding where the Privacy Shield is relied upon, review all contracts containing SCCs, and identify third countries to which data is being transferred, with particular emphasis on the US.

With the Privacy Shield now illegal, the EU and the US need to find a commercially and legally viable alternative. Over the coming days, weeks and months, privacy professionals and organisations alike will be looking to supervisory authorities to provide clear guidance on the future of data transfers.

How should you transfer data?

The European Court of Justice’s ruling will leave many data protection managers scratching their heads at how they are now supposed to make transatlantic data transfers.

Although there are detailed rules in place, we wouldn’t be surprised if you were unsure exactly how these work and fear making a costly mistake.

That’s where the EU–US GDPR Data Transfer Assessment and Action Plan helps. Delivered by our sister company IT Governance, this service provides practical, step-by-step guidance to ensure that your data transfers to and from the US remain GDPR compliant.

Find out more