CJEU judges the EU-US Privacy Shield invalid

16. July 2020

On June 16th, 2020, the Court of Justice of the European Union (CJEU) has declared the invalidity of Decision 2016/1250, therefore rendering protection granted to data transfers under the EU-US Privacy Shield inadequate.

The background

The case originated in a complaint of Mr. Max Schrems against Facebook Ireland regarding the transfer of his personal data as a Facebook user to Facebook Inc., situated in the USA, for further processing. Mr. Schrems lodged a complaint with the Irish supervisory authority seeking to prohibit those transfers. He claimed that the law and practices in the United States do not offer sufficient protection against access by the public authorities to the data transferred to the USA. That complaint was rejected on the ground that, in Decision 2000/5205, the Safe Harbour Decision, the Commission had found that the United States ensured an adequate level of protection. In a judgment delivered on October 6th, 2015, the CJEU, to which the High Court of Ireland had referred questions for a preliminary ruling, declared that decision invalid, resulting in the Schrems I judgment.

Today’s judgement in the Schrems II case came from the request of the Irish High Court to Mr. Schrems to reformulate his initial complaint, seeing as the Safe Harbour Agreement had been deemed inadequate. In the following, Mr. Schrems reformulated his complaint, and claimed that the United States does not offer sufficient protection of data transferred to that country. He seeks the suspension of future transfers of his personal data from the EU to the United States, which Facebook Ireland now carries out pursuant to the Standard Contractual Clauses (SCCs) set out in the Annex to Decision 2010/87. After the initiation of those proceedings, the Commission adopted Decision 2016/1250 on the adequacy of the protection provided by the EU-U.S. Privacy Shield.

In its request for a preliminary ruling, the referring court asked the CJEU whether the GDPR applies to transfers of personal data pursuant to the SCCs, what level of protection is required by the GDPR in connection with such a transfer, and what obligations are incumbent on supervisory authorities in those circumstances. The High Court of Ireland also raised the question of the validity of both decisions,  Decision 2010/87 and  Decision 2016/1250.

Judgement in regard to SCCs

In its judgements, the CJEU has stated that it had, after examination of the SCCs in light of the Charter of Fundamental Rights, found nothing that affected the validity of the SCCs and Decision 2010/87.

With regards to the transfer of personal data to third countries, the CJEU claims that the requirements for such purposes set out by the GDPR concerning appropriate safeguards, enforceable rights and effective legal measures must be interpreted in such a way that data subjects whose personal data is transferred into a third country must be afforded a level of protection essentially similar to the level of protection granted within the European Union by the GDPR.

Data Protection Authorities must, unless an adequacy decision has been ruled by the Commission, be required to suspend or prohibit a transfer of personal data to a third country which does not meet these requirements.

The CJEU holds that the SCCs are still effective mechanisms that make it possible to ensure compliance with a level of protection required by the European Union. In that regard the CJEU points out that this imposes an obligation on the data exporter and the recipient of the data to verify, prior to any transfer, whether that level of protection is respected in the third country concerned, and to suspend the transfer of the personal data if it is not.

Judgement in regard to the EU-US Privacy Shield

The CJEU, after thorough examination, concluded that the EU-US Privacy Shield is not adequate protection for transfers to the USA.

This result comes from the fact that the far-reaching US surveillance laws are in conflict with EU fundamental rights. The USA limits most of its protections of personal data from governmental surveillance to US citizen, but does not extend that protection to the personal data of citizens of other countries.

In essence, the limitations on the protection of personal data arising from the domestic law of the USA on the access and use by US public authorities of such data transferred from the European Union are not restricted in a way that satisfies requirements that are equivalent to those required under EU law, which were mentioned in regards to SCCs above. By the principle of proportionality, the surveillance programmes based on those provisions are not limited to what is strictly necessary.

Unless an empowerment and independence of the Ombudsperson takes place, which would give the competence to adopt decisions which are binding on US intelligence services, there are no substantial cause of actions for data subjects before a body which gives legal guarantees in the way that is required by European law for transfers to be equivalent in protection.

Assessment

Overall, the CJEU states that necessary data transfers are still able to continue under Article 49 of the GDPR. However, the provision’s interpretation is restrictive, leaving most companies with data transfers to the USA which are now considered illegal.

Due to the requirements of adequate protection even when relying on the validated SCCs, transfers under such circumstances may also be found unlawful due to the local intelligence laws in the USA, which do not uphold the requirements necessary by European law.

Overall, it is a clear statement of the necessity of reforms of the US intelligence laws, which have to create adequate protections to be able to guarantee the same level of data protection as the European Union, if they want to continue data trades and data transfers necessary for processing.

What does this mean for you?

  • If your business has a EU-US Privacy Shield certification, and uses such for legitimization of data transfers within a group of companies, you should push towards the use of the European Standard Contractual Clauses within that corporate group.
  • If you are employing service providers which rely on the EU-US Privacy Shield certification, you should also push for the use of Standard Contractual Clauses, or base the data transfer on a different solution for an adequate level of data protection.