Today, 16 July 2020, following the complaint issued by Maximillian Schrems regarding Facebook personal data transfer from EU to US, and the judicial follow-up, the EU Court of Justice issued a decision invalidating the Privacy Shield. Such data transfer mechanism was put in place provide companies on both sides of the Atlantic with a way to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.
However the previous Commission decision ( Decision 2016/1250) which enabled such mechanism, was declared not more valid by the EU CURIA.
Why the Shield was cracked
According to the Court:
requirements laid down for personal data transfers purposes by the GDPR concerning appropriate safeguards, enforceable rights and effective legal remedies must be interpreted as meaning that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses must be afforded a level of protection essentially equivalent to that guaranteed within the EU by the GDPR;
the assessment of that level of protection must take into consideration both the contractual clauses agreed between the data exporter established in the EU and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the data transferred, the relevant aspects of the legal system of that third country;
in this respect the Court noted that the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country, which the Commission assessed in Decision 2016/1250, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary
Standard contractual clauses are still valid?
The Court examined also the validity of Decision 2010/87 establishing the Standard Contractual Clauses, an alternative safeguard for enabling third country data transfers.
The validity of SCCs, according to the Court, depends on whether it can be adopted an effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by EU law and that transfers of personal data pursuant to such clauses are suspended or prohibited in the event of the breach of such clauses or it being impossible to honour them.
The Court points out, in particular, that that decision imposes an obligation on a data exporter and the recipient of the data to verify, prior to any transfer, whether that level of protection is respected in the third country concerned and that the decision requires the recipient to inform the data exporter of any inability to comply with the standard data protection clauses, the latter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the former
What can Supervisory Authorites do now
The decision stresses that competent supervisory authorities are required to suspend or prohibit a transfer of personal data to a third country where they take the view, in the light of all the circumstances of that transfer, that the standard data protection clauses are not or cannot be complied with in that country and that the protection of the data transferred that is required by EU law cannot be ensured by other means, where the data exporter established in the EU has not itself suspended or put an end to such a transfer.
What can you do?
If your company – directly or via its outsourcers – transfers personal data to the US, there are different options to be considered:firstly considering alternative appropriate safeguards under Article 46 of the GDPR to guarantee a safe data transfer, secondly reviewing your Data Processing Agreements with processors who happen to transfer data in the States, and thirdly reviewing the content of your privacy notices to align them with your new structure, and eventually consider moving some services within the EU.