Major disruption to US data transfers as EU-US Privacy Shield declared invalid by CJEU

The CJEU has upheld the validity of the SCCs, but held the Privacy Shield to be invalid because of the security regime operating in the US. 

17 July 2020

Thursday 16 July 2020 saw the Court of Justice of the European Union (“CJEU”) issue its decision on the validity of two international data transfer mechanisms - the “Privacy Shield” mechanism, which allowed for transfers between the EU and the US, and the Standard Contractual Clauses (“SCCs”) which are of more general application. Both of these mechanisms were confirmed by decisions of the European Commission. 

The “Privacy Shield” mechanism resulted from European Commission Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield. The SCCs are non-negotiable contractual clauses that the European Commission has decided offer sufficient safeguards on data protection for the data being transferred internationally. There are three versions of the SCCs that can be used, however this case focussed on the version approved in European Commission Decision 2010/87.

This is the second high-profile case brought by the privacy activist and lawyer Max Schrems who was previously successful in his attempt to force the CJEU to overturn the EU-US Safe Harbour arrangement, the predecessor to the Privacy Shield, in 2015.  

In its latest decision the CJEU has upheld the validity of the SCCs thereby giving assurance to many businesses whose data operations rely on such clauses. However, on the subject of the Privacy Shield the CJEU held the Privacy Shield to be invalid largely because of the security regime operating in the US and the resulting access to personal data. 

Implications of the decision

As the Privacy Shield has been held to be invalid, it is now unlawful for parties to transfer personal data to the US using this regime. As personal data will not simply stop flowing to and from the US, businesses and other organisations will need to act quickly to implement an alternative safeguard for the transfer of personal data to the US which complies with European data protection laws.

It is likely that businesses that previously relied on the Privacy Shield will see a rush for parties to agree SCCs for counter-signature in order to bridge the gap created by the invalidation of the Privacy Shield. The use of SCCs as a quick fix has, however, been made more difficult by the CJEU’s eagerness to ensure the use of SCCs is accompanied by a more rigorous assessment of the recipient’s ability to adequately protect the data. Simply putting the SCCs in place will be insufficient to meet the safeguarding requirements, as the CJEU’s decision has highlighted that parties that transfer personal data using SCCs must verify the level of protection in the third country before making any transfer. In addition to this, the recipient of any personal data must inform the data exporter of any inability to comply with the terms of the SCCs. Completing SCCs must be more than a tick-box exercise. 

Next steps

We advise organisations transferring personal data to the US to check whether the Privacy Shield is the mechanism being used and take steps to put an alternative mechanism in place.

This decision will hopefully prompt the European Commission to produce a more robust solution for data transfers. This will likely take the form of a long-awaited update to SCCs, which have not been updated in line with the General Data Protection Regulation and still do not permit processor-to-processor data transfers. The decision will serve as a warning to jurisdictions whose governing authorities process data for the purpose of public security and defence, as such processing may preclude these countries from being able to demonstrate adequate safeguards for the protection of personal data.

This case is also interesting from a UK perspective as, following the end of the transition period at the end of 2020, the UK will also need to put in place a regime to allow transfers to continue to be made from the EEA to the UK. Although the UK is aiming to achieve an adequacy decision which would mean the need for any contractual formalities would be avoided, given the time pressures to agree a deal by the end of the year there is a possibility this will not be achieved. Many UK businesses would need to be looking at SCCs as a short-term alternative to ensure the free flow of data can continue.

Our data protection lawyers are on hand to offer advice and guidance regarding your international data transfers.