International data transfers to the USA: The Privacy Shield invalidated by the CJEU
The EU-US Privacy Shield, which allowed the transfer of personal data from the European Union to the United States in accordance with the GDPR, was invalidated by the Court of Justice of the European Union on July 16, 2020[1].
A look back at this decision and its impact on data transfers to the United States.
What is the Privacy Shield?
The General European Union Regulation on data protection, known as the General Data Protection Regulation or “GDPR”, was adopted on April 14, 2016 and became enforceable on May 28, 2018[2]. It provides that the transfer of personal data to a third country is only possible if this third country ensures an adequate level of protection of these data.
In order to allow large US companies to continue processing their European users’ personal data, an agreement has been concluded between the European Union and the United States: the EU-US Privacy Shield. This agreement was ratified by the European Commission in Decision 2016/1250 of July 12, 2016[3] which established that the United States, as a third country, would offer an adequate level of personal data protection[4], thereby allowing the transfer of this type of data.
Why has the Court of Justice of the European Union invalidated this mechanism?
Mr. Maximillian Schrems, an Austrian national and Facebook user, challenged the transfer of his personal data to the United States by Facebook on the grounds that there was insufficient protection for the data transferred to that country.
Following Mr. Schrems’ complaint, the Irish supervisory authority referred the matter to the High Court of Justice which in turn applied to the CJEU for a preliminary ruling on the adequacy of the protection of personal data transferred to the USA.
Contrary to all expectations, the CJEU ruled on July 16, 2020 that the level of data protection offered by the Privacy Shield was insufficient and invalidated the European Commission’s Decision 2016/1250.
Indeed, the US domestic regulations imply significant limitations to the protection of personal data, justified inter alia by public security, defense and national security interests – in particular to allow the implementation of certain surveillance programs.
The CJEU considered that this type of limitations, and the interference that they entailed with the fundamental rights of the persons whose data are transferred, were not sufficiently regulated, or in any event not sufficiently regulated in the light of the rules of the European Union: in the United States, surveillance programs are not limited to what is strictly necessary, contrary to what would be required within the European Union under the principle of proportionality.
In addition, the Privacy Shield only provides for an ombudsperson mechanism in the event of a dispute. The CJEU considered that such a mechanism did not constitute a remedy offering guarantees equivalent to those offered in the European Union, namely the independence of the body before which the matter is brought and the binding nature of the decisions issued by that body.
Consequently, the CJEU concluded that the United States does not, as a third country, ensure an adequate level of protection for personal data transferred from the European Union: the Privacy Shield was thus invalidated.
What is the impact of this European decision? How to deal now with the transfer of personal data to the United States?
Following this decision, the question of personal data transfers to the United States in the future obviously arises.
Although the Privacy Shield has been invalidated, the transfer of data is still possible on other grounds.
In the absence of a decision of adequacy by the European Union, as is now the case, a transfer can take place only if the data exporter established within the European Union has provided appropriate safeguards[5], such as standard data protection clauses adopted by the European Commission and on condition that enforceable data subject rights and effective legal remedies for data subjects be available.
Decision 2010/87 of the European Commission dated February 5, 2010[6] had in fact laid down standard contractual clauses for the transfer of personal data to processors established in third countries. In its July 16, 2020 decision, the CJEU held that Decision 2010/87 was valid.
However, the CJEU makes the validity of this alternative mechanism conditional upon the provision of appropriate safeguards, i.e. the existence of effective schemes to ensure data protection and, at the very least, to allow for the suspension or prohibition of the transfer in question in case of breach of contractual clauses.
In other words, the transfer of personal data to the United States now remains possible on the basis of standard contractual clauses, provided that they are accompanied by appropriate safeguards to ensure the protection of the personal data being transferred.
[1]http://curia.europa.eu/juris/document/document.jsf;jsessionid=A63A0D92AE7AE3EDB37EDD1EAA9D2F8A?text=&docid=228677&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=13441406
[2] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679
[3] https://eur-lex.europa.eu/legal-content/FR/TXT/?uri=CELEX%3A32016D1250
[4] As per Article 45 of the GDPR
[5] Article 46 of the GDPR
[6] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32010D0087