On Thursday, July 16, the European Court of Justice (ECJ) ruled that the EU-US Privacy Shield is invalid. The ruling stems from the complaints filed with the Irish supervisory authority by Max Schrems regarding the transfer of his data from the EU to the US by Facebook. The years long battle first saw the ECJ overturn the Safe Harbor provisions and now results in the overturn of the Privacy Shield, which was created to replace the Safe Harbor.
The ECJ found the GDPR applies to the transfer and the processing activities of an entity in a third country when the data being processed was transferred to the third country from the EU. The ECJ then found that the transfer mechanism must afford data subjects “a level of protection essentially equivalent to that guaranteed within the EU by the GDPR.” As a result, a transfer mechanism must consider both the protections agreed between the data exporter and the data importer and also the legal system of the third country, specifically the access to the data by public authorities.
With that analysis in mind, and broadly referencing U.S. laws related to national security, public interest and law enforcement, the ECJ found that the Privacy Shield does not afford rights “essentially equivalent to those required under EU law.” Noting in particular that surveillance programs “are not limited to what is strictly necessary” and therefore do not comply with the principle of proportionality. Additionally, the ECJ took issue with the Ombudsperson mechanism under Privacy Shield, at least in part, because it does not provide data subjects a sufficient cause of action to protect their rights.
The ECJ also raised the question of the validity of the standard contractual clauses (enacted under Decision 2010/087). For now, the ECJ finds that the standard contractual clauses are valid. But, the standard contractual clauses are not a default solution that should be applied in all cases. The EU data exporter and US data importer before any transfer, must evaluate whether the third country respects the protections in the standard contractual clauses. Additionally, the parties must analyze whether the standard contractual clauses can be complied with or whether the transfer should be suspended.
US companies transferring data from the EU should evaluate their transfer mechanism and consider whether the standard contractual clauses are a suitable alternative. The implications of this decision are as of yet unknown. For now, the standard contractual clauses are an acceptable way to transfer data. Under an extreme view, this decision could mean that personal data of EU residents cannot be transferred to the US.