Authors
Vin Bange

Vinod Bange

Partner

Read More

Debbie Heywood

Senior professional support lawyer

Read More
Authors
Vin Bange

Vinod Bange

Partner

Read More

Debbie Heywood

Senior professional support lawyer

Read More

16 July 2020

Radar - July 2020 – 1 of 5 Insights

Schrems II – CJEU throws EU-US personal data transfers into disarray

CJEU strikes down Privacy Shield but upholds Standard Contractual Clauses.

What's the issue?

The CJEU has ruled in a reference from Ireland on data export mechanisms used to transfer personal data from the EEA to the USA. The court was asked to consider 11 questions but it has boiled them down into consideration of whether data transfers to the US under Standard Contractual Clauses and under the Privacy Shield, afford EU citizens protection which is essentially equivalent to that in the EU under the GDPR, read in light of the EU Charter of Fundamental Rights.

What's the development?

In a shock decision, the CJEU has said that the Privacy Shield Adequacy Decision is invalid because it fails to protect unnecessary and disproportionate access to EU personal data by US intelligence agencies. The court has, however, upheld the decision on Standard Contractual Clauses (SCCs) as a data export mechanism although wider questions remain about using them for the US.

What does this mean for you?

The CJEU's decision effectively puts an end to lawful transfers of personal data under the Privacy Shield. This means that businesses transferring personal data from the EEA to the US under the Privacy Shield need to find an alternative data export mechanism or begin processing the data in the EU. While SCCs remain valid, the same issues regarding access by intelligence authorities in the US apply to transfers made under them. The onus is placed on data exporters and importers to decide whether the data is adequately protected, but if they fail to do so, transfers may be open to challenge and to action by supervisory authorities (SAs) which can prohibit the transfers on a case by case basis. This calls into question all data exports to the US, in particular to businesses covered by FISA.

We suggest businesses identify which transfers are taking place under the Privacy Shield and look at transfers to the US more generally, to prepare to move as quickly as possible to the most appropriate mechanism once we understand more about the regulators' views and any compliance grace period.

For businesses concerned about the impact of Brexit on data transfers from the EEA to the UK, the outcome of the decision is positive as SCCs remain valid. In the absence of an adequacy decision for the UK from 1 January 2021, SCCs look to be a good solution for those seeking to import personal data from the EU, at least as long as the EC or individual SAs do not take issue with access to EU data by UK intelligence and law enforcement agencies.

What's next?

We expect that, as when Safe Harbor was struck down, businesses will be given a period of time in which to adjust to the situation. There is a risk though that ultimately, personal data transfers to the US, and, in particular, to businesses covered by FISA, will become problematic and the EU will move increasingly towards a localised data solution.

Find out more

We'll be discussing the impact of this decision in our webinar on 23 July 2020. We hope you can join us. In the meantime, you can read more here.

Call To Action Arrow Image

Latest insights in your inbox

Subscribe to newsletters on topics relevant to you.

Subscribe
Subscribe

Related Insights

Server farm
Data protection & cyber

Global Data Hub - Data transfers after Schrems II and Brexit transition

9 October 2020
Quick read

by multiple authors

Click here to find out more
vault-door
Data protection & cyber

Data protection in online gambling

31 July 2020
IN-DEPTH ANALYSIS

by Debbie Heywood

Click here to find out more
Data centre
Technology, media & communications

How will the P2B Regulation work and be enforced in the UK?

20 July 2020

by Debbie Heywood

Click here to find out more