The Schrems case "haunts" EU-US data transfers once again. CJEU invalidates the Privacy Shield, but gives a green light to the standard contractual clauses.
In a landmark preliminary ruling on data transfers between the European Union (EU) and the United States of America (US), the Court of Justice of the European Union (CJEU) the EU-US Privacy Shield decision (Privacy Shield) void.
This decision of 16 July 2020 (Schrems II case) is the sequel to a previous ruling, where the CJEU the EU-US Safe Harbour (Schrems I case). The EU-US Safe Harbour was the predecessor of the Privacy Shield, now considered inadequate to ensure the level of protection required by the General Data Protection Regulation (GDPR). In turn, the CJEU considered the Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries (SCC) to be valid.
This CJEU ruling follows a complaint lodged by M. Schrems. The Austrian citizen and Facebook's user, lodged his complaint with the Irish data supervisory authority seeking to prohibit Facebook Ireland from transferring his personal data to the US. Personal data of Facebook users, who are residents in the EU, is transferred to servers of Facebook Inc. located in the US where they are processed under SCC. M. Schrems claimed that SCC would not offer sufficient protection against access by US public authorities to the data transferred to the US.
Following the Advocate General's Opinion (non-binding opinion published on 19 December 2019), the CJEU considered SCC as adequate. The Court points out, in particular, that SCC decision imposes an obligation on the data exporter and on the recipient of the data to verify, prior to any transfer, whether that level of protection is respected in the receiving country and that the decision requires the recipient to inform the data exporter of any inability to comply with SCC, the latter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the former.
On the other hand, the CJEU challenged the level of protection afforded by the Privacy Shield on the grounds that it does not include satisfactory limitations to ensure the protection of EU personal data from access and use by US public authorities on the basis of US domestic law.
Although SCC remain as valid for international data transfers, organisations currently relying on SCC will have to consider whether considering the type of personal data, the purposes and context of the data processing, and the importer country, an "adequate level of protection" exists as required by EU law. Otherwise, they should consider adopting additional safeguards. Organisations relying on the Privacy Shield will have to urgently seek alternative solutions, in particular the derogations provided for in the GDPR (e.g. data subject's consent, where the transfer is necessary for the conclusion or performance of a contract). SCC, binding corporate rules, approved codes of conduct or certification mechanisms may be also alternative solutions.