A new judgement by European Court of Justice entails a significant shift for companies that are transferring EU citizen's personal data across the Atlantic.
On 16 July 2020, the Court of Justice of the European Union ("CJEU") issued its judgement in the long awaited case Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18), more commonly known as "Schrems II". Schrems II has a long and convoluted backdrop. In short, the question the CJEU had to consider was whether EU citizen's personal data is sufficiently protected, pursuant to the General Data Protection Regulation ("GDPR"), when transferred to the US. This meant clarifying whether the current mechanisms for such international transfers, namely (i) the EU-US Privacy Shield and (ii) the EU Commission's Standard Contractual Clauses ("SCC"), are sufficient.
EU-US Privacy shield invalidated
Most surprisingly, the CJEU declared the Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the Adequacy of the Protection provided by the EU-US Privacy Shield (the "EU-US Privacy Shield Decision") invalid. This means that companies can no longer rely on the EU-US Privacy Shield mechanism in order to transfer personal data from the EU/EEA to the US. According to the CJEU, US law limits the protection of personal data due to the access and use by US public authorities of such transferred data which are "[…] not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law". Additionally, the CJEU held that the EU-US Privacy Shield mechanism does not ensure EU citizens with any cause of action before a body which offer guarantees as those required under EU law.
SCC – Adequate protection now the data exporter's responsibility
In short, the CJEU held that the current SCC mechanism is still lawful. Nonetheless, the CJEU underlined that EU organizations have a proactive duty in evaluating, prior to the transfer, whether adequate levels of protection for the personal data are ensured when transferred to the importing jurisdiction. This means that the exporting entity must take into consideration relevant aspects of the legal system of the importing jurisdiction, as well as the adequacy of the contractual clauses agreed between the data exporter and the data importer. Effectively, personal data exporters now have greater responsibilities when it comes to ensuring the adequate protection of EU citizen's data protection rights when transferring personal data outside the EU/EEA.
The CJEU's judgement in Shcrems II entails a significant shift for companies that are transferring EU citizen's personal data across the Atlantic. Transfer mechanisms which rely on the EU-US Privacy Shield must now be scrapped and replaced with either binding corporate rules or the SCCs. Should any EU personal data exporter rely on the SCCs, such exporters must now assess for themselves whether the applicable importing jurisdiction have in place adequate protective measures that safeguards EU citizens' data protection rights.