Written by International Compliance Association on Monday July 27, 2020
The impact of the decision by the EU Court of Justice on the Privacy Shield
The Court of Justice of the European Union (CJEU) made judgement on 16 July 2020 on a case brought to it concerning a data privacy advocate’s claim against Facebook’s Irish operations. This judgement has potentially serious implications for companies which transfer personal data to processors outside the European Union, particularly to processors located in the US.
In this article we explore the EU’s data privacy rules on the transfer of personal data outside of the EU (from the General Data Protection Regulations – GDPR), the arrangements in place to deal with transfers of data to the US (the so called US Data Privacy Shield), the substance of the CJEU’s recent judgement and its potential implications.
What does the GDPR say about transferring data outside the EU?
The GDPR permits the transfer of personal data outside of the EU only if the country to which the data is being transferred (a third country) ensures an adequate level of data protection. The European Commission has powers under the GDPR to make decisions concerning the adequacy of a third country’s domestic law or international commitments to protect personal data (sometimes referred to as an equivalence test). Where there is no equivalence, transfers may still take place if safeguards – typically standard data protection clauses – are put in place by the exporter of the data that have the effect of also giving data subjects enforceable rights and effective legal remedies. The GDPR also provides conditions that are to be satisfied in order for personal data to be transferred outside the EU in the absence of the equivalence test or the safeguards.
What was the US Data Privacy Shield and how did it work?
The US Data Privacy Shield was a mechanism put in place between the EU and the US that imposed on US companies and certain US regulatory agencies obligations to protect the personal data of EU citizens.
The Data Privacy Shield set principles concerning the handling of personal data, including:
To benefit from the Data Privacy Shield, a US organisation had to:
What is the substance behind the CJEU’s recent judgement?
In its judgement, the CJEU opined on two points concerning the adequacy of transferring personal data from the EU:
In principle the standard data protection clause remains valid. However, its validity depends on whether it is possible, in practice, for the data importer to ensure compliance with the level of protection required by EU law.
The CJEU has declared the Privacy Shield invalid. The ruling is generally not considered a great surprise, following views by some that the Privacy Shield was effectively the previous Safe Harbour agreement under another name.
The CJEU’s conclusion is that the Privacy Shield did not provide a level of protection of personal data in the US 'essentially equivalent' to that under the GDPR and EU law. This appears to be due to the intrusive nature of surveillance programmes undertaken by the US government and intelligence agencies, which are not limited to information that is 'strictly necessary' and are therefore viewed as disproportionate under the GDPR.
The CJEU also noted:
What are the implications of the CJEU decision?
Despite the standard privacy clause remaining, in principle, valid, EU data exporters should consider suspending or preventing the transfers of personal data previously made under the standard data clause in order to ensure an individual’s data protection rights are protected to an 'essentially equivalent' standard outside the EU as they would be under GDPR.
It follows it is likely for there to be more focus on importers of the data of EU citizens – and in particular, those based in the US.
However, this ruling applies to all third countries without an adequacy decision to prove to the EU-based data exporter that processing will not clash with the GDPR. In the case of data exports to the US this may be difficult to prove, with current surveillance laws not granting the same protection afforded to Americans to foreign citizens.
EU-based organisations should analyse the practical implications of the CJEU’s ruling on their data management and data storage business models, where they transfer personal data to others. They should consider their use of third-party cloud storage. Some may wish to:
Organisations outside the EU
Organisations outside the EU who import personal data from the EU should also weigh up the implications of the CJEU’s ruling. They ought to anticipate whether the standard data protection clause provides the same level of protection as under the GDPR itself and consider the risks posed by their domestic legal framework. Where there are gaps or shortcomings, they will need to consider what other options are available.
Those US organisations who have agreed to participate in the US Data Privacy Shield arrangement ought to consider the implications of the CJEU’s ruling on their business and data model and develop plans to address the obvious challenges.
Austrian privacy advocate Max Schrems, who brought the case against Facebook and the Irish supervisory authority that was the subject of the CJEU’s ruling, noted that the CJEU’s ruling put the US on the same footing as any other third country. He hoped that the CJEU’s decision would encourage US corporations to advocate for stronger privacy rights for foreign citizens.
 Court of Justice of the European Union, Press Release No 91/20, 16 July 2020: https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091en.pdf – accessed July 2020
 The European Parliament and the Council, Regulation (EU) 2016/679, 27 April 2016: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN – accessed July 2020
 Article 45 of the GDPR
 Article 46(1) and (2)(c) of the GDPR
 Article 49 of the GDPR
Thank you. Your comment is awaiting moderation and should appear on the site shortly.
Required fields are not completed, please ensure all required fields (*) have been filled in properly.
You can leave the name empty should you wish to remain Anonymous.