CJEU invalidates EU-US Privacy Shield in landmark judgment on data transfers

Background 

The General Data Protection Regulation (GDPR) envisages two scenarios in which an organisation can transfer data outside of the European Economic Area (EEA). These are transfers with or without an adequacy decision. In cases where there is no adequacy decision, the organisation must make use of the available safeguards one of which are SCCs. 

The EU-US Privacy Shield is the successor to the earlier EU-US Safe Harbor agreement and is a mechanism to lawfully transfer personal data to the US. In his first challenge, Max Schrems, Austrian privacy activist, filed a complaint to the Irish Data Protection Commissioner against transfers of his personal data by Facebook to the US on grounds that it is then possible for the US intelligence services to access them. The case reached the CJEU which in 2015 invalidated the Safe Harbor framework and confirmed the powers of data protection authorities (DPAs) to suspend outward data transfers if they find them in breach of the EU law. 

One year later, the EU and US agreed on a new framework, Privacy Shield. To date, it has been used by some 5,000 companies. 

In parallel, the original complaint filed by Schrems was re-examined by the Irish Data Protection Commissioner. Following the clarifications by Facebook Ireland that data are transferred by means of the SCCs, Schrems was asked to reformulate his complaint. In his complaint, he argued that since his personal data was used in a manner incompatible with Articles 7, 8 and 47 of the European Charter of Fundamental Rights (CFR), the SCC decision cannot justify data transfers to the US. 

In 2016, the Commissioner published a draft decision in which she took the view that the data transferred to the US are likely to be processed by the US authorities in a manner incompatible with Articles 7 and 8 of CFR and that the us law does not provide remedies that would be equivalent to these set out in Article 47 CFR. She also found that the SCCs cannot remedy that defect since they bind parties to the contract but not public authorities. The complaint was then brought to the High Court for it to be referred to the CJEU which the High Court did in 2018. 

Judgment 

In its judgment, the CJEU examined in detail the rights and obligations of the Parties to the SCCs (paras 122 to 146). It found that they were not in breach of the EU law (paras 148 and 149). However, the Court insisted that the obligations to ensure the lawfulness of data transfers will now require an assessment of the law and practice of the importing country, especially when it concerns access to data by public authorities (para 141). In cases where the law of a third country allows for access to data by public authorities, it may be necessary to introduce additional safeguards.  

The Court also confirmed the powers of DPAs to suspend data transfers to third countries if it found them in breach of the EU law. It added that the relevant DPAs should use the consistency mechanism and refer the matter to the European Data Protection Board (EDPB) to ensure the consistent approach throughout the EU (para 147). 

Importantly, the Court struck down the EU-US Privacy Shield after a careful analysis of its shortcomings (paras 163 to 201). It concluded that US agencies have wide-ranging powers to access personal data transferred to the US (paras 180 to 185) and that the US law does not grant EU citizens similar remedies as those guaranteed by the EU law (para 186 to 201). 

What does this mean for organisations 

The judgment is likely to have significant consequences for all organisations that rely on the Privacy Shield mechanism in their data transfers to the US. However, it also will have an impact on those who rely on SCCs in general. This is because the judgment confirmed the higher standard of due diligence to be applied by data exporters and the possible need to introduce additional safeguards. However, the exact nature of ‘additional safeguards’ is yet to be clarified. 

Furthermore, the judgment will have implications on other transfer mechanisms such as binding corporate rules (BCRs) that are used within the same group of organisations. This is because the same reasoning applies to the use of that mechanism, namely the assessment of the law and practice of the country to which data are transferred. 

The EDPB have issued a frequently asked questions (FAQ) document in which it deals with some of the questions that arose after the judgment. Importantly, the EDPB states that there is no grace period for those organisations that have relied on the Privacy Shield and that the EDPB was looking further into what ‘additional safeguards’ to the SCCs or BCRs could be put in place. 

Wider impact 

The judgment also carries wider impact on cross-border data transfers from the EEA. In the context of the EU-UK negotiations on the future partnership agreement (FPA), the requirements set out in the judgment will be applied to the UK if there is no adequacy decision in place. 

* Please note that since the first publication of this article the EDPB published two sets of recommendations that intend to address the requirements of the CJEU. They can be found here. In addition, the European Commission published a revised set of SCCs here.