The Court of Justice of the European Union (CJEU) declares invalid a decision of the European Commission which attested that the EU-U.S. Privacy Shield provided adequate protection to personal data transferred from the EU to the U.S., if the receiving party had self-certified its adherence to the Privacy Shield Principles. At the same time, the CJEU clarifies that the so-called standard contractual clauses (SCC) may still be used – with important caveats.
The Verdict’s Massive Impact
The ruling has an impact on (a) more than 5,000 companies in the United States that have self-certified under the Privacy Shield mechanism, and (b) an undefined number of companies outside the United States that relied on the recipients’ Privacy Shield self-certification to comply with the strict EU data protection laws.
Reasoning Behind the Annulment
As in the case of the Privacy Shield’s predecessor (the “U.S.-EU Safe Harbor Framework”), which was overturned by the CJEU in 2015, the CJEU criticizes the fact that neither U.S. law nor the Privacy Shield provides for effective remedies against the far-reaching rights of U.S. intelligence services. Therefore, the Privacy Shield does not meet the strict requirements of EU data protection law. The CJEU also found that the Privacy Shield ombudsman role was ineffective for providing EU data subjects an adequate level of protection or appropriate redress.
The Good News: CJEU Approved the SCC (Processors)
Fortunately, today’s ruling explicitly approves the general validity of the SCC (Standard Contractual Clauses) per se, but does leave them open to be challenged in the future. However, the CJEU stresses that the parties to the transfer are responsible for assessing on a case-by-case basis whether the SCC constitute a suitable mechanism to justify the transfer in question or not.
Depending on the laws and regulations of the country of destination, compliance with the SCC may require additional measures to be taken by the parties to secure the personal data subject to the GDPR. The CJEU emphasizes that the parties must immediately refrain from transferring data if its adequate protection cannot be ensured. If the parties, nevertheless, continue to base their processing on the SCC, then according to the CJEU, the competent EU supervisory authority must suspend or prohibit the transfer. In doing so, it should involve the European Data Protection Board, where appropriate, to ensure consistency of decisions across the EU.
What Now?
Companies that are subject to the GDPR should consider (i) their data flows to the U.S., (ii) the respective legal mechanism for such transfers to the U.S., and (iii) if the EU-U.S. Privacy Shield is the current transfer mechanism, put in place a legitimate transfer mechanism for such activities.
Even where data transfers are based on SCCs and are made to non-EU states other than the U.S., organizations should assess that the undertakings in the SCC are met throughout their term. Any changes required by the above may also need to be reflected in the company’s privacy policy, records of processing activities, etc.