On July 16, 2020, the Court of Justice of the European Union (CJEU) issued a judgment in »Schrems II« case (DPC Ireland v. Facebook Ireland and Schrems), by which it declared invalidity of the decision no. 2016/1250 on the adequacy of the protection provided by the EU-U.S. Privacy Shield, which served as one of the grounds for the transfer of personal data from the EU to the U.S., while declaring that the standard contractual clauses (SCCs) for the transfer of personal data to third countries remain valid.
Under the General Data Protection Regulation (GDPR), the transfer of personal data to third countries is only permitted if the latter ensure an adequate level of personal data protection. This can be established by the European Commission in an adequacy decision (such as a »Privacy Shield«); in the absence of such a decision, data transfers to a third country are only permitted if the data exporters, established in the EU provide appropriate safeguards and provided that the data subjects have enforceable rights and effective legal remedies, e.g. using standard contractual clauses or binding corporate rules (Article 46 of the GDPR) or on the basis of the exceptions provided in Article 49 of the GDPR.
After the Court of Justice declared invalid the decision on the adequacy of protection on the basis of the so-called "Safe Harbor" agreement in 2015 (»Schrems I« judgment), the EU and the U.S. concluded the »Privacy Shield« Agreement. The adequacy of this agreement was confirmed by Commission in its Decision no. 2016/1250, thus eliminating the need for a special permit, safeguards under Article 46 or compliance with the special conditions of Article 49 of the GDPR when transferring personal data to US companies that were self-certified on the basis of the »Privacy Shield«.
In its »Schrems II« decision, the Court of Justice declared the decision no. 2016/1250 invalid. It justified the decision by stating that the protection of personal data as provided by U.S. law is not equivalent to the level of protection in the EU. It highlighted, in particular, the excessive powers of public authorities in accessing transferred personal data and the inadequacy of the powers of the institution of the U.S. Ombudsman, which is supposed to guarantee the right to a legal remedy.
At the same time, the court decided that the transfer of personal data on the basis of standard contractual clauses, enforced by the Commission Decision no. 2010/87, remains in force. That Decision contains effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by European Union law and to suspend or prohibit transfers of personal data in the event of an infringement pursuant to such clauses. In that regard, it emphasized that it is the obligation of both the data exporter and the recipient to verify that the required level of protection is respected in the third country. In the event that the recipient in unable to provide an adequate level of protection of personal data, he is obliged to inform the data exporter.
The declaration of invalidity of the Decision no. 2016/1250 does not therefore mean that the transfer of personal data to the U.S. will no longer be possible, as only one of the legal bases provided for in the GDPR ceased to apply. It is important, however, that controllers who have been transferring data to the U.S. under the Privacy Shield agreement justify the transfer on one of the remaining valid legal bases. At the same time, they will have to ensure that appropriate safeguards are in place to protect the privacy and fundamental rights and freedoms of individuals.
The full text of the judgment is available at this link.
