European Court of Justice Invalidates Privacy Shield but Re-approves Standard Contractual Clauses
16 July 2020
Technology & Regulation in the Spotlight
The European Court of Justice (“CJEU“), has published a ruling which invalidates the EU-US personal data transfer scheme “Privacy Shield“, but reaffirms the transfer of data using the “standard contractual clauses” mechanism.
According to the European General Data Protection Regulation (“GDPR“) the transfer of personal data from the EU to another country is restricted and subject to various conditions. The European Commission (“EC“) is authorized to afford recognition to certain countries that offer an adequate level of privacy protection, in order to allow the free transfer of personal data from the EU to these countries without the need to comply with other restrictions and conditions.
The United States has never afforded this level of recognition by the EC. However, the EC recognized a similar level of adequacy in the case of transferring personal data to US-based companies which have participated in the self-certification scheme – “the Privacy Shield“.
The GDPR also allows the legal option to transfer data from the EU to a third country pursuant to an adequate contractual mechanism. Such mechanism was developed by the EC’s Standards Contractual Clauses (“SCC“).
These mechanisms of data sharing have been in the focus of European courts since 2013, well before the enactment of the GDPR. In 2015, the CJEU, in the judgement known as “Schrems I”, has struck down a previous data transfer framework (the “Safe Harbor”), as it did not guarantee an adequate protection for EU citizens’ data. After this ruling the mechanism was revised, the Privacy Shield certification was created and has been key method of data transferring between the EU and the US since.
The CJEU’s Recent Judgment
In April 2018, the Irish High Court referred interpretive questions to the CJEU, including on the validity of the Privacy Shield and the SCCs. After almost two years of discussions, the CJEU has given its long anticipated judgment (also known as “Schrems II“).
With respect to challenging the SCC, the CJEU has decided to revalidate the EC’s decision allowing this mechanism. However, the CJEU stated that EU law, and particularly the GDPR, apply to the transfer of personal data from the EU to a third country, even if the data might be processed by local authorities in that country. Hence, EU supervisory authorities would have to suspend or prohibit transfer of personal data to a third-country if they find that the SCCs cannot be complied with in that country. The data exporter and the recipient must also verify the compliance with the SCCs.
As to the Privacy Shield, the court has found this mechanism invalid. In view of the CJEU, the limitations on personal data protection, which are imposed by US domestic law on the access and use by the US authorities of personal data, are not circumscribed to an extent that satisfies the requirement of an equivalent protection. Specifically, the Court held that the US surveillance programs do not follow the principle of proportionality, as the access and use are not limited to the extent that is strictly necessary. In addition, the court held that the Privacy Shield lacks the measures to enforce a substantially equivalent protection of data subjects to those required by EU law.
This ruling of the CJEU puts an end to the personal data sharing between the EU and the US that is based on the Privacy Shield. Immediate and complex implications are expected for companies that currently rely on this mechanism.
Companies that transfer personal data from the EU to the US must analyze their data sharing mechanisms and consider proper adjustments that would allow the implementation of alternative data transfer legal mechanisms.
Feel free to contact us if you have any questions regarding the implications of this judgement on your activities.
Ariel Yosefi, Partner
Co-Head | Technology & Regulation Department
Herzog Fox & Neeman