On 16 July 2020, the Court of Justice of the European Union (CJEU) handed down a major ruling on the data transfer regime between the European Union and the United States in the so-called “Schrems II” case.
What does the “Schrems II” ruling say?
In its decision of 16 July 2020 [1], the CJEU:
- – on the one hand, invalidated the Privacy Shield adequacy decision allowing the transfer of data by a European entity to organisations established in the United States;
- – on the other hand, validated the standard contractual clauses (SCC) allowing the transfer of data from the European Union to importers established outside the European Union.
Transfer of personal data outside the European Union
The General Data Protection Regulation (‘the GDPR’) [2] provides that the transfer of personal data to a third country (including the USA) may, in principle, take place only if the third country in question ensures an adequate level of data protection.
According to the GDPR, the Commission may find that a third country ensures, by reason of its domestic law or its international commitments, an adequate level of protection [3]. In the absence of an adequacy decision, such transfer may take place only if the personal data exporter established in the EU has provided appropriate safeguards, which may arise, in particular, from standard data protection clauses adopted by the Commission, and if data subjects have enforceable rights and effective legal remedies [4].
Privacy Shield
The Privacy Shield [5] is an adequacy decision, adopted in 2016 by the European Commission establishing a self-certification mechanism which allowed the transfer of data between the EU and US companies adhering to its data protection principles.
The CJEU has just invalidated the adequacy of the protection provided by the EU-US Privacy Shield “in the light of the requirements arising from the GDPR, read in the light of the provisions of the Charter [of Fundamental Rights of the European Union] guaranteeing respect for private and family life, personal data protection and the right to effective judicial protection.” [6]
As our Lexing France correspondent reminds [7], the Privacy Shield had been challenged by Austrian privacy activist Max Schrems as soon as it was adopted. With this Schrems II ruling, Max Schrems, who had already obtained the invalidation of the “Safe Harbor” in 2015 (Schrems I) [8] thus also obtained the invalidation of the Privacy Shield.
“This is likely to prove a catastrophic hurdle for many companies already weakened by the Covid pandemic” says our Lexing USA correspondent, Françoise Gilbert, who wrote that this decision “destroy[s] the virtual bridge that allowed 5,378 US based Shield self-certified organizations to conduct business with entities located in the European Union and European Economic Area [9] .
Standard Contractual Clauses
In its ruling, the CJEU nonetheless validated the standard contractual clauses set out in the Annex to Decision 2010/87 [10] allowing the transfer of data from the European Union to importers established outside the European Union.
However, that validity, the Court added, depends on whether “such a standard clauses decision incorporates effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by EU law and that transfers of personal data pursuant to the clauses of such a decision are suspended or prohibited in the event of the breach of such clauses or it being impossible to honour them” [11].
What’s next?
The European protection authorities, assembled within the European Data Protection Board, are currently conducting a precise analysis of the judgment [12]. This joint work aims at drawing conclusions as soon as possible on the consequences of the ruling for data transfers from the European Union to the United States. In the meantime, our Lexing France and Lexing USA correspondents present you with the stakes involved in this decision:
- What are the immediate consequences for data transfers to the United States?
- What about the validity of the standard contractual clauses?
- What can you do to ensure the legality of your data transfers to the USA from now on?
Read the article (in English) on the Lexing USA website
Read the article (in French) on the Lexing France website
« Le Privacy Shield invalidé par la Cour de justice de l’Union européenne », 17-7-2020
[1] CJEU case C‑311/18 of 16-7-2020, Schrems II
[2] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (OJ 2016 L 119, p. 1)
[3] Article 45 of the GDPR
[4] Article 46(1) and (2)(c) of the GDPR
[5] Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield
[6] Court of Justice of the European Union Press release N° 91/20 of 16-7-2020
[7] Lexing Alain Bensoussan Avocats “Le Privacy Shield invalidé par la Cour de justice de l’Union européenne“, 17-7-2020
[8] CJEU case C-362/14 of 06-10-2015, Schrems I
[9] European Court of Justice Decision Creates Havoc in Global Digital Exchanges: One Shot Down, One seriously Injured; 5,300 Stranded, 16-7-2020, Françoise Gilbert
[8] Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council, as amended by Commission Implementing Decision (EU) 2016/2297 of 16 December 2016 (OJ 2016 L 344, p. 100)
[9] Françoise Gilbert, “European Court of Justice Decision Creates Havoc in Global Digital Exchanges: One Shot Down, One seriously Injured; 5,300 Stranded“, 16-7-2020
[10] CJEU case C‑311/18 of 16-7-2020 (Schrems II), paragraph 137
[12] Cnil, “Invalidation of the “Privacy shield”: the CNIL and its counterparts are currently analysing its consequences“, 17-7-2020; EDPB “Statement on the Court of Justice of the European Union Judgment in Case C-311/18 – Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, 17-7-2020