The European Court of Justice this morning issued a significant – and fairly surprising – ruling on international data transfers in the Schrems II case. Standard contractual clauses remain valid, but the Privacy Shield is invalid and cannot be relied on to legitimise transfers of personal data from the EEA to the US.
This is likely to have a significant impact on both US organisations that were certified under the Privacy Shield as well as for EU organisations sending personal data to the US under the Privacy Shield. As we wait to hear more from the regulators as to practical implications arising from the invalidity finding, it is worth noting the substantive points of the judgment:
Standard Contractual Clauses
- The ECJ upheld the validity of the Standard Contractual Clauses, meaning that the significant administrative and legal challenges that would have resulted if the SCCs were found invalid can be set aside. The European Commission is working on a revised set of SCCs, which we expect to be rolled out in the near-term future.
- However, the ECJ made clear that data exporters (the EU party) must assess and verify the protection offered by the laws of the importing party’s country – including those relating to government surveillance. This is no easy task, and will likely mean that organisations need to carry out various data protection impact assessments for these transfers and, potentially, also consult their data protection authority before sharing data with organisations in high-risk countries.
- How this works in practice remains to be seen – and the ruling would seem to suggest that exporters could find that SCC-based transfers to the US would not be possible, for the same reasons that the Privacy Shield is struck down (i.e. excessive government surveillance). But for now, the SCCs remain in play and organisations will continue to rely on them – notwithstanding it is unclear exactly how and when they should conduct an assessment of each receiving country’s laws.
- We expect that the Commission, the Irish regulator and the European Data Protection Board will soon provide public statements on the decision and guidance in respect of next steps, and we will update you once these have been released.
- The current EU-US data transfer mechanism, the Privacy Shield, is invalid. Today’s ruling comes less than five years after the court invalidated the previous transatlantic transfer regime, the Safe Harbor.
- In both cases, the ECJ found that the US government’s surveillance system does not sufficiently guarantee the rights of individuals in the EU whose personal data are transferred to the US – nor, the court said, do these individuals have actionable rights against the US authorities.
- Today’s judgment will have huge geopolitical implications for the EU and US, given that the Commission recently gave the Privacy Shield a clean bill of health in its third annual review. It also has potentially grave implications for the UK, whose own government surveillance system will now be a key factor in determining whether the UK receives a determination from the Commission that it offers protection for personal data send from the EU. On today’s ruling, that assessment looks bleak.
- Those relying on Privacy Shield for as a mechanism for legitimising data transfers will need to find an alternative mechanism. And those sending personal data from Europe to the US under the Privacy Shield will also need to review their actions to ensure they are not transferring data unlawfully.
- We note that when the Safe Harbor was found invalid, EU data protection authorities issued a four-month moratorium on enforcement actions to allow organisations to implement alternative data transfer measures. We hope, but cannot yet confirm, that this will be the case again.