The Court of Justice of the European Union (‘CJEU’) announced, on 16 July 2020, that it had issued its judgment (‘the Judgment’) in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) (‘the Schrems II Case’). In particular, the CJEU declared the Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the Adequacy of the Protection provided by the EU-US Privacy Shield (‘the EU-US Privacy Shield Decision’) invalid, but found that nothing affected the validity of Standard Contractual Clauses (‘SCCs’) in light of the Charter of Fundamental Rights.
“The impact of this decision is immediate and global,” said Eduardo Ustaran, Partner and Global Co-Head of the Privacy and Cybersecurity practice at Hogan Lovells. “It goes significantly further than the invalidation of the Privacy Shield as it requires companies to bear in mind other countries’ powers over data access when engaging in global data flows. This a big job.”
Specifically, and in relation to SCCs, the CJEU outlined that the assessment of the afforded level of protection must take into consideration both the contractual clauses agreed between the data exporter established in the EU and the recipient of the transfer established in the third country, as well as relevant aspects of the legal system of that third country in relation to any access by public authorities of the third country. Moreover, the CJEU held that a supervisory authority is required to suspend or prohibit the transfer of data to the third country when it believes that the protection required by EU law cannot be ensured by other means, where the data exporter established in the EU has not itself suspended or put and end to the transfer. In addition, the CJEU found that SCCs are a mechanism that, in practice, make it possible to ensure compliance with a level of protection in accordance with EU law, as well as make it possible to guarantee that the transfer of data pursuant to the clauses is suspended or prohibited in the event of a breach of such clauses, or when it is impossible to honor them.
Moreover, the CJEU examined the validity of the EU-US Privacy Shield Decision in light of the requirements of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’). In this regard, the CJEU found that the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the EU to that third country, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law. In particular, the CJEU noted that US public authorities’ use and access of EU data were not circumscribed by the principle of proportionality, in so far as the surveillance programs based on those provisions are not limited to what is strictly necessary. Furthermore, the CJEU highlighted that, in relation to the requirement of judicial protection, the Ombudsperson mechanism does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law, as it would require guarantees of both the independence of the Ombudsperson and of the existence of rules empowering the Ombudsperson to adopt decisions that are binding on the US intelligence services.
Lastly, ‘None of Your Business’ (‘NOYB’) issued, on 16 July 2020, a first statement on the CJEU’s judgment, outlining that organizations may also not use SCCs for the transfer of personal data, as the Irish Data Protection Commission (‘DPC’) must stop data transfers under this instrument.
Contact us today to find out more about how this decision may impact you and how we can help. We’ve prepared comprehensive contingency plans for organizations who have historically relied on Privacy Shield certification.