The Court of Justice of the European Union (CJEU) has published its long-awaited decision in the case of Data Protection Commissioner [Ireland] v Facebook Ireland Ltd. and Maximillian Schrems (referred to as “Schrems II”). The CJEU has confirmed that the EU standard contractual clauses (SCCs) can provide a lawful framework for international transfers of personal data. At the same time, however, the court invalidated the EU-US Privacy Shield framework for personal data transfers to the United States.
What did the CJEU say?
Echoing the Advocate General’s opinion from December of last year, the CJEU confirmed the validity and sufficiency of the SCCs. However, transfers of personal data pursuant to the SCCs can (and should) be suspended or stopped entirely if the protection for personal data required by EU law cannot be ensured in the recipient country. It is up to the data exporter and the data recipient to determine, before any data transfer, whether the level of protection in the third country is sufficient to enable compliance with the SCCs. The CJEU also reiterated the fact that national data protection authorities have an obligation to intervene to suspend data transfers where the SCCs cannot be complied with in the recipient jurisdiction.
However, turning its attention to the EU-US Privacy Shield, the CJEU called sharply into question the protections granted to personal data in the context of the United States national security and intelligence services. The domestic law of the United States on the use of personal data by public authorities does not, in the CJEU’s view, provide protections that are essentially equivalent to those required under EU law. Given these issues, the CJEU declared Decision 2016/1250 (which approved the adequacy of the EU-US Privacy Shield) invalid.
What does this mean for businesses?
In part, this decision will come as a relief to businesses for whom the use of the SCCs is fundamental to ongoing compliance with the GDPR’s restrictions on international data transfers. However, the invalidation of the EU-US Privacy Shield, and the CJEU’s broader commentary on the lack of protection for personal data in the United States, do mean that organisations will need to understand and carefully assess the ramifications of any current and planned trans-Atlantic transfers of personal data. They will also need to consider more widely the circumstances in which they rely on SCCs for international transfers and the due diligence that may be required beforehand.
"The limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country ... are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law." CJEU Press Release