The Court of Justice of the EU strikes down key rules of U.S.-EU data transfer

On July 16, 2020 in a landmark decision, the Court of Justice of the European Union (CJEU) decided:

1. the EU and US Data Protection Shield (so called Privacy Shield) is invalid;
2. the standard contractual clauses for the transfer of personal data to processors established in third countries to be valid.

The Decision 2016/1250 on the adequacy of the protection provided by the European Union –
the United States Data Protection Shield is invalid as it fails to protect people’s rights to privacy,
data protection and access to remedy.

The decision mentioned above forms part of a long-running legal case taken against Facebook by Max Schrems, an Austrian lawyer and privacy rights advocate. It must be remembered that to understand decision of CJEU we have to go back to the beginning of M. Schrems’ battle with Facebook. Under the Charter of Fundamental Rights of the European Union, every citizen in the European Union (hereinafter – EU) has a right to have their data processed fairly, with their consent, and for specified purposes. Yet, if an American company sends an EU citizen’s data back to the US, there is a risk that the US National Security Agency (NSA) will get access to such data. Edward Snowden, the former contractor of NSA, revealed that the PRISM programme gave NSA access to data from major tech firms such as Facebook, Apple, Google, etc. M. Schrems was arguing that Facebook was aiding NSA in conducting mass surveillance of EU citizens.

As Facebook’s European headquarters is based in Ireland, M. Schrems complained to the Irish Data Protection Commission. After his initial complaint was rejected, M. Schrems took his case to the country’s High Court – which referred it on to CJEU. As the result of this case, the Safe Harbour, a 15-year-old agreement which governed data transfers between the EU and the US, was dismantled. It was said that the agreement was unable to guarantee adequate safeguards for the protection of EU citizens’ data, so Safe Harbour was invalidated. As a result, companies operating in Europe switched to Standard Contractual Clauses (hereinafter – SCCs), which ensured they could still move data across the Atlantic. In the meantime, the EU and the US developed a new agreement, the Privacy Shield framework, to replace the Safe Harbour agreement.

So, as Facebook and other companies began using SCCs to transfer data to the US, M. Schrems submitted a new complaint to the Irish Data Protection Commissioner, this time challenging Facebook’s use of SCCs to transfer data. Once again, it was referred to the Irish High Court and then up to the CJEU. While the Privacy Shield wasn’t part of M. Schrems’ initial complaint, the Irish Court’s request pulled the Privacy Shield into the case as well and by 2020 July 16 decision of CJEU came to the result that the decision regarding Privacy Shield was invalidated. However, it shall be noted that the same decision of CJEU said that Commission Decision 2010/87 on SCCs for the transfer of personal data to processors established in third countries is valid.

The ruling cannot be appealed and this ruling brokered a replacement of data system between EU and US, whereby data could still be transferred from EU to US by using SCCs or Binding Corporate Rules. The same was confirmed by Věra Jourová, Vice President of the European Commission – “the transatlantic data flows can continue, based on the broad toolbox for international transfers provided by the GDPR, for instance binding corporate rules or Standard Contractual Clauses.”.

Didier Reynders, European Commissioner for Justice stated that “Standard Contractual Clausess are in fact the most used tool for international transfers of personal data and we wanted to ensure they can be used by businesses and fully in line with EU law. We are now advanced with this work and we will of course take into account the requirements of judgement. We will work with the European Data Protection Board, as well as the 27 EU Member States. It will be very important to start the process to have a formal approval to modernize the Standard Contractual Clauses as soon as possible. We have been in an ongoing process about such a modernization for some time, but with an attention to the different elements of the decision of the Court today. My second point: The Court has invalidated the PrivacyShield. We have to study the judgement in detail and carefully assess the consequences of this invalidation“.

Taking into consideration what is mentioned above, it shall be noted that even CJEU upheld the validity of the SCCs today, the European Commission will need to reform them to incorporate more safeguards. Moreover, it shall be considered that this decision will have the impact on the adoption of US comprehensive privacy and data protection framework that puts users at the center and provides meaningful avenues for redress and oversight.

Please find the full CJEU decision here.

The article was prepared by Loreta Andziulytė, ECOVIS ProventusLaw attorney at law, and Milda Šlekytė, ECOVIS ProventusLaw assistant attorney at law.

Get in touch