In the Judgment of 16 July 2020, the Court of Justice of the EU ruled that Privacy Shield Agreement used by Tech companies, banks and other businesses to transfer personal data between the EU and US, does not protect the Europeans’ privacy. The court invalidated EU Commission Decision 2016/1250 on the adequacy of the protection provided by Privacy Shield, but confirmed validity of Decision 2010/87 on standard contractual closes (SCC).
The Grand Chamber ruled that EU law, namely the Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and General Data Protection Regulation (GDPR), must be interpreted as applying to the transfer of personal data for commercial purposes by an Member State economic operator to an operator in a third country.
If such data is liable to be accessed by the authorities of the third country for public security, defence and State security reasons, this does not preclude such data movement from the GDPR scope.
Standard Contractual Clauses
The Court held that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses must be afforded a level of protection essentially equivalent to that guaranteed within the EU by the GDPR. The court further specified that the assessment of that level of protection must include both the contractual clauses agreed between the parties and a third country law on public authorities’ access.
Regarding the European supervisory authorities’ obligations, the Court ruled that unless there is a valid Commission adequacy decision in respect of specific country, those authorities are required to suspend or prohibit a transfer of personal data to a third country where they take the view of the non-compliance with EU law, where the data exporter established in the EU has not itself suspended or put an end to such a transfer.
The Court confirmed the validity of Decision 2010/87 as establishing effective mechanisms that make possible, in practice, to ensure compliance with the level of protection required by EU law. In particular, the Court pointed out an obligation imposed on the data exporter and the recipient of the data to verify, prior to any transfer, whether that level of protection is respected in the third country concerned an obligation imposed on the recipient to inform the data exporter of any inability to comply with the standard data protection clauses; the latter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the former.
Privacy Shield Agreement
The Court ruled invalid the EU Commission Decision 2016/1250 approving adequacy of protection in Privacy Shield Agreement. It noted that the requirements of US national security, public interest and law enforcement are interfering with the fundamental rights of persons whose data are transferred to US. The Court determined the limitations on the protection of personal data arising from the US domestic law, which the Commission assessed in Decision 2016/1250, as not satisfying the requirements essentially equivalent to those of EU law. The court found that the provisions on certain surveillance programmes do not impose any limitations on the power they confer to implement those programmes, or the existence of guarantees for potentially targeted non-US persons. Although those provisions lay down requirements with which the US authorities must comply when implementing the surveillance programmes in question, the provisions do not grant data subjects actionable rights before the courts against the US authorities.
The Court also held that, contrary to the view taken by the Commission in Decision 2016/1250, the Ombudsperson mechanism referred to in that decision does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law, such as the independence of the Ombudsperson and the existence of rules empowering the Ombudsperson to adopt decisions that are binding on the US intelligence services. On all those grounds, the Court declared Decision 2016/1250 invalid.
The impact of the ruling is not immediately clear. As the Court ruled that the Privacy Shield agreement does not protect the Europeans’ privacy, thousands of companies will now have to carefully assess whether their SCCs are ensuring the protection of data moved to US as required by GDPR.
The current judgement came after Max Schrems filed a complaint against Facebook arguing that his privacy was violated when his data was transferred to the US and could be accessed and used there by the public authorities. Max Schrems is an Austrian privacy campaigner. Based on his complaint, the Safe Harbour Agreement, predecessor of Privacy Shield was dismantled in 2015.