16 Jul 2020
Today, the Court of Justice of the European Union (CJEU) announced its judgment in the case referred to as 'Schrems II' (Case C-311/18), declaring that the EU-U.S. Privacy Shield is invalid as it does not provide an adequate level of protection for the transfer of personal data from the European Union (EU) to the United States. It did however rule that standard contractual clauses (SCCs) for the transfer of personal data from the EU to countries outside the EU remain valid; also stating that companies relying on SCCs have several obligations to ensure compliance with EU data protection requirements.
A replacement for the Safe Harbor Framework, The Privacy Shield became operational in August 2016. Now, like its predecessor, a decision of the CJEO has rendered it invalid in the EU, primarily due to concerns over the access that U.S. intelligence agencies have to its (citizens') data.
So this seems to leave SCCs as the main option available to EU organisations. However, the Court highlighted that, relying on them, data controllers need to assess the level of data protection afforded by the country to which the personal data is being transferred (e.g. the USA). Specifically, data controllers must:
- collaborate with their data processors and data subjects to determine whether the data protection laws of the recipient country fail to provide adequate protection for data subjects
- take measures to compensate for any failings to supplement the protections afforded by the SCCs
- consider measures that include ensuring that data subjects have enforceable data subject rights and access to effective legal remedies
- suspend or end the transfer of personal data from the EU to the USA where the data controller or data processor cannot take such additional measures to guarantee adequate protection
Several countries outside of the EU (and probably the UK when it emerges from Brexit 'Transition') have recognised the EU SCCs or adopted model contract clauses similar to the EU SCCs as legal mechanisms for international personal data transfers. They may now require data controllers to conduct country-specific data protection law assessments and provide additional safeguards for any deficiencies revealed.
We can hope that this decision will lead to a change in U.S. surveillance laws or the monitoring practices of U.S. intelligence agencies, but realistically that is likely to be a long term process at best.
In the meantime, organisations must continue to ensure that their privacy practices and procedures comply with the requirements of EU (and UK) data protection laws when they implement alternate transfer methods.
Note for our clients
We have amended section 9 of our Privacy Notice to reflect these changes.