Privacy Shield invalidated

Under the General Data Protection Regulation (the GDPR), transferring personal data to third countries outside the EU and the EEA may only take place if certain safeguards are applied to ensure that the data is adequately protected in the third country. One of the grounds for lawful transfers is an adequacy decision of the European Commission.

With the last week’s judgement, the CJEU invalidated the Commission’s adequacy decision on the EU-US Privacy Shield framework. The Court found that the framework does not satisfy the requirements of adequate protection of personal data due to the US surveillance activities. This means that transatlantic transfers of personal data to Privacy Shield certified companies in the USA cease to be lawful if other safeguards are not applied. The invalidation of the Privacy Shield follows the judgement of the CJEU in 2015 (the “Schrems I” case), whereby the Court invalidated the previous EU-US privacy framework – the Safe Harbour principles.

The standard contractual clauses remain valid, but are they enough?

An alternative to relying on the Commission’s adequacy decisions for data transfers is to include standard data protection clauses adopted by the Commission into the agreements between data controllers and processors. The validity of these standard contractual clauses (SCCs) was also challenged before the CJEU.

The Court declared that the SCCs remain valid. The SCCs can therefore still be used for transferring personal data to third countries. However, the CJEU emphasises in its judgement, that data exporters must diligently verify, on a case-by-case basis (and if necessary, in collaboration with the data recipient), whether the law of the recipient country ensures adequate protection essentially equivalent to that guaranteed in the EU. This assessment must take into account both the SCCs, as well as the law of the third country as regards the access rights of public authorities. Where necessary, the data exporter must provide additional safeguards to those offered by the SCCs.

The Court furthered considered, that the controller is bound to suspend the transfer of data and/or to terminate the contract, if the data recipient is not, or is no longer, able to comply with the SCCs. If the data exporter fails to provide additional safeguards when required, or fails to suspend the transfers or terminate the relevant contracts, it will be in breach of the GDPR and will risk being fined for the infringement.

If the data exporter fails to take the adequate measures, or suspend or put an end to the transfer, the competent supervisory authority is required to suspend or end the transfer of personal data to the third country concerned. The CJEU explicitly stresses that this is particularly the case, where the law of the third country imposes obligations contrary to the SCCs and therefore does not provide an adequate level of protection against access by the public authorities of that third country.

The implications

In light of the judgement, companies should verify whether they transfer any data to the USA on the basis of the Privacy Shield only. If so, alternative safeguards should be put in place. Companies should, however, exercise diligence when relying on the SCCs, and if necessary, apply additional safeguards. More scrutiny will likely be applied to the use of the SCCs in the future. There is a considerable risk that for data transfers to the USA, the mere use of the SCCs will be considered as inadequate.

The decision causes legal uncertainty and possibly different conclusions among the supervisory authorities in the EU. Businesses risk with infringing the GDPR if they use the SCCs without additionally assessing on a case-by-case basis the level of protection provided in the third country.