On July 16, 2020, the European Court of Justice (CJEU), delivered (un)expected decision in the case- Schrems II (C-3111/18) on the adequacy of data protection mechanisms, provided by the EU-US Data Protection Shield, in data transfers between the EU and the U.S.
The CJEU decision will most likely change the landscape of transatlantic data transfer in the foreseeable future marking the EU-U.S. Privacy Shield Framework as no longer valid as a mechanism that allows compliance with EU data protection requirements when transferring personal data from the European Union to the United States.
The U.S. Secretary of State, Michael R. Pompeo commented in their press statement:
“The United States shares the values of rule of law and protection of our democracies with our partners in the European Union (EU). Therefore, we are deeply disappointed that the Court of Justice of the European Union has invalidated the EU-U.S. Privacy Shield framework.”
On the other hand, the CJEU validated the SCC- Standard Contractual Clauses as a mechanism that ensures appropriate safeguards and compliance with the GDPR in transatlantic data transfers. However, it is stressed that data protection authorities must suspend or prohibit the transfer of data outside the European Union if the data cannot be protected appropriately.
Had the CJEU invalidated the SCC as well, it would immobilize the data transfer forcing companies to cancel all data transfers between the US and EU or risk high penalties for violation of the GDPR.
What is the Privacy Shield
Privacy Shield is an agreement created by the U.S. Department of Commerce and the European Commission, that outlines standards and provides data protection mechanisms for companies and governs the transfer of personal data from the European Union to the United States.
According to the General Data Protection Regulation (GDPR); “Secure third countries are those for which the European Commission has confirmed a suitable level of data protection on the basis of an adequacy decision. In those countries, national laws provide a level of protection for personal data which is comparable to those of EU law.”
This means the United States is no longer considered a secure third country by the EU standards.
What is the Schrems II case all about?
Schrems case is named after Max Schrems, an Austrian citizen, lawyer, activist, and co-founder of NOYB- European Center for Digital Rights. Early on Schrems was interested in Facebook’s lack of awareness of European privacy law.
As it is the case with so many users from European Union, Schrems’s personal data were transferred by Facebook Ireland to Facebooks’ servers located in the U.S. for further processing.
Schrems filed a complaint with the Irish supervisory authority (since Facebook European headquarters are in Ireland) in order to stop those transfers of his personal data, claiming that the practices in the United States did not provide sufficient safeguards against access by the public authorities in the country.
His complaint was rejected, stating the Commission had found that the United States ensured an adequate level of protection underlying the EU-US Safe Harbour arrangement. However, in a judgment delivered on 6 October 2015, the Court of Justice declared that the Commission’s US Safe Harbour Decision is invalid (‘the Schrems I judgment’).
Following the Schrems I judgment, Schrems reformulated his complaint, claiming that he US did not offer sufficient protection of data transferred to the country and seeks for suspension of the future transfers of his personal data to the United States, and the rest is history.
How will this affect the transfer of data?
As we mentioned before, companies will still be able to rely on the use of EU Standard Contractual Clauses when transferring personal data outside the EU. Companies will have to comply with the data protection standards in the third country or terminate the export of data where there are no appropriate data protection mechanisms in place.
If you are a company that relied on the EU–U.S. Privacy Shield when transferring data, from now on you should implement substitute safeguards like SCC.
The GDPR also allows derogations for specific situations (Article 49) that may be applicable in specific situations. However, relying on any such derogation requires a detailed assessment.
The U.S. Department of State commented: “The United States is reviewing this outcome and the consequences and implications for more than 5,300 European and U.S. companies, representing millions of transatlantic jobs and over $7.1 trillion in commercial transactions. […]This decision directly impacts both European companies doing business in the United States as well as American companies, of which over 70 percent are small and medium enterprises.
The decision in Schrems case, although significant, does not mean the data transfer will suddenly stop. The EU Commission stated:
“While the Commission cannot predict the outcome of this litigation, it is looking into possible scenarios. In doing so, the Commission is in contact with stakeholders, including the United States authorities. In parallel, the Commission continues to work on alternative instruments for international transfers of personal data, including by reviewing the existing Standard Contractual Clauses.”