On July 16, 2020, the European Court of Justice (Court) ruled in the “Schrems II” case that the one of the most commonly used cross border data transfer mechanisms between the European Union (EU) and the United States (US), the EU-US Privacy Shield Framework (Privacy Shield), has been invalidated. The Court reasoned that when transferring European data subjects’ personal data to a third country, the business in the third country must be able to protect this personal data with roughly the same level of protection that the personal data is guaranteed to have within the EU by the General Data Protection Regulation (GDPR). However, the Court said there should also be an assessment of how the third country’s legal system and public authorities plan to access the personal data and whether this access affords the necessary protections guaranteed within the EU.
The Court found that the surveillance laws in the U.S. allow for the U.S. government to access the personal data of Europeans that is transferred to the U.S. and that the Privacy Shield does not protect Europeans’ personal data from such U.S. government surveillance. Furthermore, the Court found that Europeans are not afforded the right to bring actions in U.S. courts to prevent this type of access as they could in the EU. Therefore, the Court ruled that the adequacy decision that forms the basis for the Privacy Shield is invalid, because the Privacy Shield is not able to offer Europeans an equivalent level of protection as they would be entitled to in the EU. This means those businesses that currently rely on the Privacy Shield, which includes over 5,000 active participants, will need to find an alternative mechanism to transfer personal data from the EU to the US.
By contrast, the Court upheld one of the other mechanisms of transfers to the U.S.—the standard contractual clauses, which Schrems had also challenged. The Court reasoned that while standard contractual clauses do not bind the authorities of third countries—and therefore does not suffer from the same deficiencies as Privacy Shield—the data exporter and the data importer are both required to verify, prior to the transfer, whether the data importer can afford data subjects appropriate safeguards, enforceable rights, and effective legal remedies. On that basis, the Court found that the standard contractual clauses adequately protects personal data with roughly the same level of protection that personal data is guaranteed to have by the GDPR.
In a press conference given by the European Commission, Věra Jourová, Vice-President for Values and Transparency, highlighted that the European Commission is working to modernize the standard contractual clauses and the requirements of this ruling will be incorporated into any future updates of the standard contractual clauses. Jourová also commented that businesses can still rely on binding corporate rules for the transfer of personal data from the EU and the US.
Businesses that are currently Privacy Shield certified should start examining different transfer mechanisms as an alternative to Privacy Shield. Whether they chose to use standard contractual clauses or binding corporate rules, businesses that transfer EU data to the U.S. must adopt appropriate safeguards, enforceable rights, and effective legal remedies to data subjects whose information they receive.