CJEU Invalidates the EU-US Privacy Shield for the Transfer of Personal Data under the GDPR

On July 16, 2020, the Court of Justice of the European Union (CJEU) released its decision in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (C-311/18), declaring the EU-US Privacy Shield to be invalid on the basis that it does not provide adequate protection for transferring personal data from the European Union (EU) to third parties in the United States (US).

The transfer of personal data subject to the General Data Protection Regulation (GDPR) to a third country may take place only if that third country ensures an adequate level of data protection through: (i) an adequacy decision of the European Commission (Article 45 of the GDPR); or (ii) if the data controller or processor has provided appropriate safeguards (Article 46 of the GDPR).

The case began in 2013 when Mr. Schrems, an Austrian national, brought a complaint against Facebook Ireland seeking to prohibit the transfer of his personal data to the US on the basis that the law and practices in the US did not offer sufficient protection against access by US public authorities. In 2015, the dispute reached the CJEU which invalidated the predecessor Safe Harbour Framework (previously reported by the E-TIPS® Newsletter here). Subsequently, the European Commission adopted the EU-US Privacy Shield in Decision 2016/1250 as a mechanism to transfer personal data from the EU to the US in compliance with EU data protection laws.

In the present decision, the CJEU held that the EU-US Privacy Shield does not adequately protect against the potential access to and the use of personal data transferred to the US by US public authorities under national surveillance laws. Furthermore, the Privacy Shield ombudsperson mechanism does not provide enforceable rights and effective legal remedies to individuals before the courts against US authorities.

The CJEU upheld the validity of the Standard Contractual Clauses (SCCs) adopted by the European Commission in Decision 2010/87 as a valid legal tool for the transfer of personal data to third countries, subject to the requirement that data subjects be afforded a level of protection essentially equivalent to that guaranteed within the EU. Prior to any data transfer, the data exporter and data recipient must consider the local laws and practices of the country to which data will be transferred to ensure compliance with the SCCs. Where such compliance is not possible the data exporter, or otherwise the supervisory authority, must suspend or prohibit data transfer to that country.

In light of this landmark decision, organizations relying on the EU-US Privacy Shield must now establish an alternative data transfer mechanism to ensure GDPR compliance.

Summary By: Anna Troshchynsky