03 Nov 2020
CJEU Decision on Data Transfers between EU and US
The Eu Court of Justice Judgment (CJEU decision), published on the 16th
of July 2020, has struck down the main mechanism for data transfers between the EU and the US (“Privacy Shield”) while it has confirmed the European mechanism for data transfers outside the EU - called Standard Contractual Clauses (“SCCs”) which are valid, according to the Court, as long as it is assessed that the third country provides a sufficient level of data protection.
This ruling was issued with reference to the case “Schrems II”. Max Schrems, privacy activist and lawyer, had questioned the two different legal regimes for data transfers between the EU and the US, i.e. the US surveillance law and the EU data protection law. In particular, Schrems argued that the strong US surveillance powers provided by the Foreign Intelligence Surveillance Act conflicts with the EU citizens’ data protection rights granted by the EU Charter of Fundamental Rights, the European Convention on Human Rights and the General Data Protection Regulation. He also imposed specific questions on the legality of the European data transfer mechanism used by Facebook and other companies to outsource personal data processing from the US to the EU. These concerns were addressed to the Irish Data Protection Commission where he asked the suspension of Facebook’s use of SCC’s.
This case between Schrems and Facebook ended up in the Irish Courts which referred many questions on the data transfer mechanisms to the CJEU. Specifially, the Irish Courts’ referral included questions about the EU-US Privacy Shield which was the European Commission’s flagship data transfer agreement. The CJEU decided to strike down the Privacy Shield scheme approved by the European Commission since it considered that the US surveillance laws are excessive. As for the SCCs, the CJEU has not ruled on the mechanism itself which does not assess the third country’s quality of the protections. However, it highlighted that SCCs can be used on the condition that appropriate legal conditions are provided to guarantee EU citizens’ data rights. This means that if the data protection level is not equivalent to that offered by EU law, the Controller has to suspend the data transfers and the EU regulators have also to act accordingly in case of complaints on data transfers to third countries.
Regarding this decision, Věra Jourova, the EU Commissioner, said that “The Court of Justice declared the Privacy Shield decision invalid but also confirmed that the Standard Contractual Clauses remain a valid tool for the transfer of personal data to processors established in the third countries. This means that the transatlantic data flows can continue based on the broad toolbox for international transfers provided by the GDPR”, such as binding corporate rules and SCCs.
- Court’s decision Implications on the data transfers to US
Following the CJEU decision, Companies transferring EU citizens’ data in the US in the context of EU-US Privacy Shield scheme, have to seek other appropriate safeguards provided by article 46 of the GDPR (SCCs, binding corporate rules, explicit consent of the data subject, necessary transfers or transfers in the public interest or the interest of the data subject) or rely on one of the derogation of article 49 of the GDPR as long as their conditions are met. Unfortunately, the Court has not provided any grace period during which data transfers to the US can take place without assessing the legal basis for the transfer since the US law level of data protections has been assessed not equivalent to those in the EU.
- Court’s decision Implications on the data transfers to any third country
Τhis decision affects not only the transfers of personal data to US but also to any third country. This means that all data transfers to countries outside the EU must take place under the circumstances specified by the Court.
- Court’s decision Implications on the appropriate safeguards of art. 46 GDPR
The threshold set by the Court is applicable to all appropriate safeguards provided by article 46 of the GDPR. Therefore, the data exporter and data importer, regardless of the mechanism on which the transfer is based (e.g. binding corporate rules, SCCs etc.), have the obligation to verify whether that level of protection is respected in the third country.
In particular, the Court has mentioned that it is the responsibility of the data exporter and the data importer to assess whether the level of protection required by EU law is respected in the third country concerned in order to determine if the guarantees provided by the SCCs or the binding corporate rules can be complied with in practice. If not, supplementary measures must be taken to ensure an essentially equivalent level of protection as provided in the EEA, and if the law of the third country will not prevent the effectiveness of these measures.
Steps to be followed prior to any transfer to third countries without adequacy decision
The European Commission has the power to determine whether a country outside the EU offers an adequate level of data protection (adequacy decision). The effect of such a decision is that personal data can flow from the EU to that third country without any further safeguard being necessary. So, data transfers from and to third countries without adequacy decision
require taking safeguards based on the provisions of the GDPR.
Following the above CJEU Decision on Data Transfers and its clarifications on this issue, we recommend that you follow the steps below prior to proceeding with any transfer to third countries without adequacy decision:
- Verify the legislation of the third country to check if it provides a level of data protection equivalent to the EU law. If the third country’s level of data protection is not sufficient, take supplementary measures to ensure that the third’s country’s law does not impinge on the essentially equivalent level of protection as afforded in the EEA and provided by the transfer tools of article 46 of the GDPR.
- If there is no adequacy decision, or appropriate safeguards provided by article 46 are not put in place, check if one of the derogations under article 49 of the GDPR applies.
- If the above legal grounds cannot be found, personal data should not be transferred outside the EEA and all processing activities should take place in the EEA.