A recent decision of the Court of Justice of European Union (CJEU) in the case of Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Case C-311/18) EU:C:2020:559 (known as “Schrems II”) has declared the EU-US Privacy Shield to be invalid. This article looks at the background to the EU-US Privacy Shield, the key points of the CJEU’s ruling and its impact.
What was the EU-US Privacy Shield?
- The EU-US Privacy Shield, being an agreement between the European Commission and US Department of Commerce, aimed to allow for the free transfer of data between EU and US organisations. It was intended to ensure that any personal data transferred to an organisation in the US from an organisation based in an EU country was subject to appropriate levels of protection.
- Fundamentally, it meant that businesses in the US that received data from their EU counterparts could choose to commit to a set of data protection principles to ensure their compliance with EU law and make it easier for EU organisations to transfer personal data to US organisations.
- These principles under the Privacy Shield broadly reflect the rights afforded to data subjects under the General Data Protection Regulation (GDPR), such as the right to access personal data and the right to have personal data erased.
What did the Court of Justice of the European Union decide?
- US domestic law on the international transfer of data did not provide an equivalent level of protection to that afforded by EU law.
- This was on the basis that US authorities had seemingly unfettered access to personal data transferred from the EU for the purposes of protecting national security.
- As such, the CJEU deemed the Privacy Shield to be an inadequate mechanism for the protection of individuals’ personal data.
- Separately, for businesses relying on standard contractual clauses to transfer data to processors outside of the EU, they must ensure that the rights and remedies of data subjects in the third country are at least equivalent to those guaranteed under the GDPR.
What effect does this have on businesses transferring data from the EU to the US?
- The judgment means that businesses in the EU that have transferred data to the US under the Privacy Shield will no longer be able to rely on this framework for future transfers.
- Instead, businesses should look to rely on one or more of the other exemptions permitted by EU law for international transfers, such as standard contractual clauses or binding corporate rules.
- If businesses choose to rely on standard contractual clauses, they should assess whether the countries to which they are transferring data have equivalent legal protections for EU data subjects as those that exist under the GDPR.
- As US law has been deemed to not provide equivalent protections to EU law, businesses looking to rely on standard contractual clauses to transfer data to the US will need to decide whether any further security measures can be put in place for the individual arrangements.
- To assist with this, the European Data Protection Board has recommended that businesses undertake risk assessments as to whether these clauses offer enough protection to data subjects in respect of the country to which their data is being transferred.
The decision in Schrems II is one of the most significant developments since the implementation of the GDPR. It makes the transfer of personal data to organisations based in the US fundamentally more difficult and increases the administrative burden required for international data transfers.
As such, businesses must now consider whether or not they can transfer personal data to US organisations and, if still required, the additional measures that they need to put in place for the transfer to be lawful under the GDPR.
If your business is affected by the matters discussed above, the Data Protection Team at Leathes Prior would be happy to assist and provide advice on alternative ways for you to meet your data protection obligations. Please contact us on 01603 281141 or email@example.com for more information.