Logo
Media Centre

European Court of Justice Invalidates Privacy Shield but Re-approves Standard Contractual Clauses

Ariel Yosefi

16 July 2020

16/07/2020
Technology & Regulation in the Spotlight

The European Court of Justice (“CJEU“), has published a ruling which invalidates the EU-US personal data transfer scheme “Privacy Shield, but reaffirms the transfer of data using the “standard contractual clauses” mechanism.

 

Background

According to the European General Data Protection Regulation (“GDPR“) the transfer of personal data from the EU to another country is restricted and subject to various conditions. The European Commission (“EC“) is authorized to afford recognition to certain countries that offer an adequate level of privacy protection, in order to allow the free transfer of personal data from the EU to these countries without the need to comply with other restrictions and conditions.

The United States has never afforded this level of recognition by the EC. However, the EC recognized a similar level of adequacy in the case of transferring personal data to US-based companies which have participated in the self-certification scheme – “the Privacy Shield“.

The GDPR also allows the legal option to transfer data from the EU to a third country pursuant to an adequate contractual mechanism. Such mechanism was developed by the EC’s Standards Contractual Clauses (“SCC“).

These mechanisms of data sharing have been in the focus of European courts since 2013, well before the enactment of the GDPR. In 2015, the CJEU, in the judgement known as “Schrems I”, has struck down a previous data transfer framework (the “Safe Harbor”), as it did not guarantee an adequate protection for EU citizens’ data. After this ruling the mechanism was revised, the Privacy Shield certification was created and has been key method of data transferring between the EU and the US since.

 

The CJEU’s Recent Judgment

In April 2018, the Irish High Court referred interpretive questions to the CJEU, including on the validity of the Privacy Shield and the SCCs. After almost two years of discussions, the CJEU has given its long anticipated judgment (also known as “Schrems II“).

With respect to challenging the SCC, the CJEU has decided to revalidate the EC’s decision allowing this mechanism. However, the CJEU stated that EU law, and particularly the GDPR, apply to the transfer of personal data from the EU to a third country, even if the data might be processed by local authorities in that country. Hence, EU supervisory authorities would have to suspend or prohibit transfer of personal data to a third-country if they find that the SCCs cannot be complied with in that country. The data exporter and the recipient must also verify the compliance with the SCCs.

As to the Privacy Shield, the court has found this mechanism invalid. In view of the CJEU, the limitations on personal data protection, which are imposed by US domestic law on the access and use by the US authorities of personal data, are not circumscribed to an extent that satisfies the requirement of an equivalent protection. Specifically, the Court held that the US surveillance programs do not follow the principle of proportionality, as the access and use are not limited to the extent that is strictly necessary. In addition, the court held that the Privacy Shield lacks the measures to enforce a substantially equivalent protection of data subjects to those required by EU law.

 

Implications

This ruling of the CJEU puts an end to the personal data sharing between the EU and the US that is based on the Privacy Shield. Immediate and complex implications are expected for companies that currently rely on this mechanism.

Companies that transfer personal data from the EU to the US must analyze their data sharing mechanisms and consider proper adjustments that would allow the implementation of alternative data transfer legal mechanisms.

Feel free to contact us if you have any questions regarding the implications of this judgement on your activities.

Kind regards,

Ariel Yosefi, Partner

Co-Head | Technology & Regulation Department

Herzog Fox & Neeman

Related Practice Areas

Related Lawyers

More news

Nebraska is the 17th US State to Adopt Comprehensive Data Protection Legislation
Maryland is the 16th US State to Pass Comprehensive Consumer Privacy Legislation
Kentucky is the 15th US State to Adopt Comprehensive Data Protection Legislation
JOIN OUR
Newsletter

    © 2020, All rights reserved, Herzog Law
    Site by Gootte

    The information contained in this web site is provided for informational purposes only and should not be construed as legal advice on any subject matter and should not be relied upon as such. Herzog accepts no responsibility for any consequences whatsoever arising from use of the information contained in this web site. The accessing of information contained in this web site shall under no circumstances be considered as creating an attorney-client relationship between Herzog and any party accessing this web site. Contacting through email any lawyer named in this web site or sending information without prior agreement of Herzog shall not be construed as automatically creating an attorney-client relationship between Herzog and the party sending an email or information. The material contained in this web site has been created by and remains the property of Herzog. No reproduction, transmission, publication or any other form of dissemination shall be permitted unless the prior written consent of Herzog has been obtained. This web site may contain links to other web sites operated by third parties. Herzog does not sponsor, approve or endorse the content of any such web site and is not responsible for the materials appearing in such sites.

    Search by
    Search by +

    Search