The European Court of Justice (the CJEU) invalidated the data privacy shield (the DPS) with the United States on 16 July 2020. The DPS was a means of permitting cross-border data transfers from the EU to the US for commercial purposes, to those companies in the US that certified adherence to standards that provided equivalent levels of protection offered by the EU General Data Protection Regulation (the GDPR). In the US, the DPS system has been administered by the US Department of Commerce and enforced by the US Federal Trade Commission.

This invalidation of the DPS by the CJEU has arisen because the CJEU has determined that US law fails to adequately protect EU personal data. This invalidation terminates special access to Europe’s personal data streams by US organisations without other protections. Consequently, cross-border data transfers from the EU to the US may now only occur via the use of appropriate safeguards, which for most will consist of standard contractual clauses (as well as binding corporate rules and derogations). Data recipients in the US are now relegated to the use of such GDPR mandated safeguards, as the US failed to receive an adequacy decision from the European Commission specifically because its domestic laws fail to provide protection to data subjects at a level that is deemed adequate in relation to the GDPR.

The standard contractual clause mechanism theoretically ensures data protection standards that afford a level of protection essentially equivalent to that guaranteed within the EU by the GDPR. However, data controllers must still assess the level of data protection in a data recipient’s country and suspend any data transfers if they consider the data protection to be inadequate to meet their obligations under the GDPR. The assessment of the level of protection must consider both the contractual clauses agreed between the data exporter established in the EU and the data recipient in the receiving country as well as any access to the data by public authorities in the receiving country and relevant aspects of the legal system of the receiving country. According to the CJEU, prior to any transfer, an EU data exporter and the recipient of the data must verify whether adequate protections are respected in the receiving country. Such an assessment requires the data recipient to inform the data exporter of any inability to comply with the standard data protection clauses, in which case the EU data exporter would be obliged to suspend the data transfer and/or to terminate the contract with the recipient.

Furthermore, the data supervisory authorities in the EU member states must also suspend transfers of personal data if they deem them unsafe under EU data protection regulations and directives. Unless a valid adequacy decision is conferred by the European Commission, any member state supervisory authority must suspend or prohibit a transfer of personal data to a third country if: (1) it believes the standard contractual clauses (or other alternative safeguards) are not or cannot be complied with in that country; and (2) the protection of the data transferred required by EU law cannot be ensured by other means (particularly where the data exporter established in the EU has not itself suspended or terminated such a transfer).

The requirements of the GDPR must be considered in relation to the provisions of the EU Charter of Fundamental rights, which guarantees respect for a private and family life and directly affects personal data protection and the right to effective judicial protection. In this respect, the CJEU notes that the requirements of US national security, public interest and law enforcement have primacy that condones interference with the fundamental rights of persons whose data are transferred to the US.

According to the CJEU, limitations on the protection of personal data under US law, in relation to the access and use by US public authorities of data transferred from the EU to the US, are not restricted in a manner that satisfies requirements that are essentially equivalent to those required under EU law per the principle of proportionality. The CJEU sees this specifically in the case of US domestic surveillance programmes because they are not limited to what is strictly necessary and cast too broad a net; there are no indications as to limitations on the power they confer or the existence of guarantees for potentially targeted non-US persons. The CJEU further found that while there may be requirements with which US authorities must comply when implementing such surveillance programmes, data subjects are not granted actionable rights before the courts against US authorities.

The DPS provided for an Ombudsperson mechanism that would facilitate the processing of requests from EU individuals relating to national security access to data transmitted from the European Union to the US. The CJEU has found that the ombudsperson mechanism has failed to provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law, such as to ensure both the independence of the ombudsperson provided for by that mechanism and the existence of rules empowering the ombudsperson to adopt decisions that are binding on the US intelligence services.

Because of the global jurisdictional ambit of the GDPR, any companies in Hong Kong (or anywhere else for that matter) must now reconsider how they transfer GDPR-covered data to the United States and how such data is safeguarded.