Schrems II – CJEU throws EU-US personal data transfers into disarray

CJEU strikes down Privacy Shield but upholds Standard Contractual Clauses.

What's the issue?

The CJEU has ruled in a reference from Ireland on data export mechanisms used to transfer personal data from the EEA to the USA. The court was asked to consider 11 questions but it has boiled them down into consideration of whether data transfers to the US under Standard Contractual Clauses and under the Privacy Shield, afford EU citizens protection which is essentially equivalent to that in the EU under the GDPR, read in light of the EU Charter of Fundamental Rights.

What's the development?

In a shock decision, the CJEU has said that the Privacy Shield Adequacy Decision is invalid because it fails to protect unnecessary and disproportionate access to EU personal data by US intelligence agencies. The court has, however, upheld the decision on Standard Contractual Clauses (SCCs) as a data export mechanism although wider questions remain about using them for the US.

What does this mean for you?

The CJEU's decision effectively puts an end to lawful transfers of personal data under the Privacy Shield. This means that businesses transferring personal data from the EEA to the US under the Privacy Shield need to find an alternative data export mechanism or begin processing the data in the EU. While SCCs remain valid, the same issues regarding access by intelligence authorities in the US apply to transfers made under them. The onus is placed on data exporters and importers to decide whether the data is adequately protected, but if they fail to do so, transfers may be open to challenge and to action by supervisory authorities (SAs) which can prohibit the transfers on a case by case basis. This calls into question all data exports to the US, in particular to businesses covered by FISA.

We suggest businesses identify which transfers are taking place under the Privacy Shield and look at transfers to the US more generally, to prepare to move as quickly as possible to the most appropriate mechanism once we understand more about the regulators' views and any compliance grace period.

For businesses concerned about the impact of Brexit on data transfers from the EEA to the UK, the outcome of the decision is positive as SCCs remain valid. In the absence of an adequacy decision for the UK from 1 January 2021, SCCs look to be a good solution for those seeking to import personal data from the EU, at least as long as the EC or individual SAs do not take issue with access to EU data by UK intelligence and law enforcement agencies.

What's next?

We expect that, as when Safe Harbor was struck down, businesses will be given a period of time in which to adjust to the situation. There is a risk though that ultimately, personal data transfers to the US, and, in particular, to businesses covered by FISA, will become problematic and the EU will move increasingly towards a localised data solution.