On 16 July 2020 the Court of Justice of the European Union (CJEU) issued a preliminary ruling with significant importance regarding the instruments for transfer of personal data outside EU to so called “third countries”, in particular to the US.

Why it has come this far?

The request for a preliminary ruling was made in connection with the actions of Austrian privacy activist Mr. Maximillian Schrems who turned to the Irish Data Protection Commissioner asking for the suspension of the transfers of his data as Facebook’s user made by Facebook to the US, at this stage mainly based on the Standard Contractual Clauses (SCC). After the invalidation of Safe Harbour framework that was previously in place for EU-US data transfers (the Schrems I case), Mr. Schrems argued that the SCC do not provide a sufficient level of personal data protection in transfers from the EU to the US, since the rules in the US create conditions for disregard for the contractual obligations of legal persons (in this case  of Facebook) in connection with the SCC concluded by them. In the meantime, a new framework – the EU-US Privacy Shield – was adopted and its validity was also put into question with the reference to the CJEU.

What are the key takeaways from the CJEU’s judgement?

• The EU-US Privacy Shield framework is invalid. The main arguments of CJEU are that:

(1) the US local laws enabling access and use of public authorities (via different surveillance programs) to personal data for national security, public interest and law enforcement purposes set limitations on personal data protection that are not proportionate and limited to what is strictly necessary as required by the EU law;

(2) the Ombudsperson mechanism in the Privacy-Shield framework does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law, because the Ombudsperson:

(a) cannot be considered independent, as is appointed by the US Secretary of State and is an integral part of the US State Department, and

(b) is not empowered to adopt binding decisions on the US intelligence services.

• Where personal data are transferred pursuant to SCC, a level of protection essentially equivalent to that guaranteed within the EU by the GDPR and the Charter of Fundamental Rights of the EU must be afforded. According to CJEU, this means a case by case assessment regarding both the contractual clauses agreed between the EU-data exporter and the third country-recipient, and any access by the public authorities of that third country to the data transferred, as well as the relevant aspects of the legal system of that third country.

• Decision 2010/87 establishing the Standard Contractual Clauses as a tool for transfer of personal data remains valid.

According to CJEU, the Decision establishing the SCC contains effective mechanisms that make it practically possible to ensure compliance with the EU required level of protection and to suspend or prohibit the transfer in the event of the breach of the SCC or in case it becomes impossible to honour them. These mechanisms are:

(1) the obligation of the data exporter and the data recipient to verify, prior to any transfer, whether that level of protection is respected in the third country, and

(2) the requirement for the recipient to inform the data exporter of any inability to comply with the SCC, the latter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the former.

• Member States’ supervisory authorities are required to suspend or prohibit a transfer of personal data to a third country where:

(1) in the light of all the circumstances of the case, they consider:

(a) the SCC are not or cannot be complied with in that third country, and

(b) the protection of the data transferred that is required by EU law cannot be ensured by other means, and

(2) the EU-data exporter has not itself suspended or put an end to this transfer.

Why this decision is important?

The CJEU’s decision is crucial, because it reaffirms the problems regarding the EU-US data transfers identified years ago with the invalidation of Safe Harbour mechanism. It means that the EU will maintain its policy to insist on ensuring the highest possible data protection standards in its relations with third countries. The CJEU’s decision is a strong message to US government calling for implementation of additional safeguards in terms of data protection-national security paradigm.

For the business it means future uncertainties on how to lawfully arrange data transfers to third countries, especially to US, because:

• one of the key tools for data transfers to US – the Privacy Shield – is no longer available;
• the considerations of CJEU regarding non-conformity of the US surveillance programs with the EU privacy standards put in question whether the SCC – probably the most popular tool for data transfers – can be properly used for transfers to the US.

A probable solution could be a new privacy deal struck between EU and US, but in order to avoid the faith of Safe Harbour and the Privacy Shield, it needs to carefully address the issues identified by the CJEU that led to the invalidation of these tools.

Lastly, it seems likely to expect proactive approach from Member State supervisory authorities in terms of data transfers, especially in the light of their newly reaffirmed powers to suspend or prohibit a transfer based on SCCin certain cases where the effective compliance with the SCC in the third country or the level of data protection required by EU cannot be fully achieved.

Useful links:

• The full decision of the CJEU can be found here
• Press release of the CJEU can be found here
• Statement of the Irish supervisory authority on the CJEU decision can be found here
• Statement of the European Data Protection Board on the CJEU decision can be found here.

‍