In a long-awaited decision, the Court of Justice of the European Union (CJEU) has invalidated the EU-US Privacy Shield, a framework governing data transfers between the EU and the US. Good news, however, the transfer of personal data based on Standard Contractual Clauses (SCC) is still allowed.
The EU-US Privacy Shield provides a framework for companies to transfer personal data between the EU and the US that are compliant with applicable privacy provisions. The General Data Protection Regulation (GDPR) has specific requirements regarding the transfer of personal data out of the EU. One of these requirements is that the transfer must only happen to countries deemed as having adequate data protection laws. In general, the EU does not list the US as one of the countries that meets this requirement. The Privacy Shield self-certification was designed to create a framework whereby participating companies are considered as having adequate protection, and therefore facilitate the personal data transfer.
On 16 July 2020, the CJEU declared the EU-US Privacy Shield invalid because the scope and consistency of the US surveillance framework does not allow for a sufficient protection for data of individuals in the EU, putting it at a risk that would violate fundamental rights under the GDPR. The limitations on the protection of personal data arising from US laws of such data are not limited in a way that satisfies requirements by the principles of proportionality. The CJEU further states that the Ombudsperson mechanism, which is designed to mitigate said interference, is not substantially equivalent to the guarantees required by EU law.
However, the Court noted that the already existing SCC remain valid. They are designed to transfer personal data from the EU to a third country, as long as the data exporter and recipient assess, prior to any transfer, whether the appropriate level of data protection is provided by the third country. This means SCC are assessed in general and not in relation to a specific country, which is why they do not take into account all possible risks. This does not render them ineffective, but they are not to be understood as exhaustive either. The controller or processor exporting data therefore needs to supplement the SCC as necessary. In any case, it will be interesting to follow how the SSC will be developed in the future. Work is currently in progress within EDPB.
It is worth noting that Switzerland has implemented its own transfer framework, the Swiss-US Privacy Shield, which is mainly similar to the EU-US Privacy Shield. Whether and, if so, how it will be affected by the CJEU’s decision remains to be seen.