Jocelyn S Paulley
Partner
Co-Head of the Retail Sector (UK)
Co-lead of Data Protection and Cyber Security sector (UK)
Article
9
The Court of Justice of the European Union (CJEU) ruled on 16 July 2020 that the EU-US Privacy Shield is invalid as a mechanism for transferring personal data to third parties in the US.
If that sounds all too familiar, that is because there was a similar decision five years ago when the previous EU-US transfer mechanism, known as the Safe Harbour Decision, was also found to be invalid.
The Information Commissioner's Office (ICO) is considering the CJEU's judgement to support organisations with international data flows. Watch this space for further guidance, and potentially an alternative scheme to replace the Privacy Shield. However, given the CJEU's comments about the ability of US intelligence agencies to harvest data through the sub-sea cables that form the backbone of the internet, we may not see a revitalised Privacy Shield for some time to come.
Organisations must once again rely on the standard contractual clauses approved by the European Commission to provide an adequate level of protection for personal data transferred to a third country. The most recent CJEU decision does at least provide some comfort that the standard contractual clauses will continue to be upheld as a valid transfer mechanism as the court considered their effectiveness.
Organisations should identify contracts under which data has been transferred to the US based on the Privacy Shield and put in place standard contractual clauses instead. There is new emphasis on data exporters to monitor the protection in place for the data transferred, and stopping transfers if the clauses are breached or the country to which data is being exported no longer provides sufficient protection.
Under the General Data Protection Regulation (the GDPR)[1] , data transfers to a third country may, in principle, only take place if that third country ensures an adequate level of data protection, as determined through the third country's domestic law or international commitments. In the absence of an adequacy decision, such transfers may only take place in limited circumstances or where the data exporter (established in the EU) has provided appropriate safeguards, such as standard data protection clauses adopted by the Commission in Decision 2010/87[2], and data subjects have enforceable rights and effective legal remedies.[3]
In 2013, an Austrian national, Mr Schrems, brought a complaint against Facebook to prohibit data transfers from Facebook Ireland to servers in America belonging to Facebook Inc. for processing, on the basis that the law and practices in the United States did not offer sufficient protection from access by public authorities and intelligence agencies (Schrems I)[4]. The court rejected the complaint as they found an adequate level of protection existed in Decision 2000/5205 (the Safe Harbour Decision)[5]. Mr Schrems reformulated his complaint to seek the prohibition of future transfers of his personal data through standard data protection clauses. The Irish High Court referred questions to the CJEU, which subsequently declared in Decision 2010/87 that the Safe Harbour Decision was invalid. Consequently, the Commission adopted Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield (the Privacy Shield Decision)[6].
In its preliminary ruling[7], the CJEU had to decide:
The court found that:
Footnotes
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (OJ 2016 L 119, p. 1).
[2] Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council, as amended by Commission Implementing Decision (EU) 2016/2297 of 16 December 2016 (OJ 2016 L 344, p. 100).
[3] Article 46(1) and (2)(c) of the GDPR.
[4] Case C-362/14 see also Press Release No. 117/15.
[5] Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (OJ 2000 p.7).
[6] Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield (OJ 2016 L 207, p. 1).
[7] Case C-311/18.
NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.