16th July 2020

Today the European Court of Justice (ECJ) has struck down the validity of the EU – US Privacy Shield data flow agreement, which provides for the safe transfer of data between the European Union and the United States of America.

The Commission’s Decision 2016/1250 had analysed United States law in terms of the level of protection afforded to data transfer and concluded that the safeguards so afforded were adequate. However, in this judgment, the ECJ ruled that the legal safeguards “are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality”.

The Privacy Shield is a system providing for the transfer of personal data from the EU to the US in what was thought to be a safe and secure manner, in line with the principles of the GDPR. Yet, the ECJ did away with the assurances previously given by the Privacy Shield as it considered US law’s level of protection to not be “equivalent to that guaranteed within the EU by the GDPR, read in the light of the Charter [of Fundamental Rights]”.

This ECJ decision comes about from the Schrems case, wherein the plaintiff argued against Facebook’s transfer of his data to the US, where it was being processed by the national intelligence authorities. The Court concluded that in the US, the interests of “national security, public interest and law enforcement” supersede those of the individual and one’s personal data. The judgment considered that the redress provided by the Privacy Shield created an Ombudsman, however such an office did not provide adequate legal guarantees to a level equivalent to that required by EU law, nor could the Ombudsman’s independence be guaranteed. The Ombudsman’s decisions could furthermore not even bind US security authorities.

The decisions also considered the validity of Standard Contractual Clauses (SCC) , which it decided remain valid. The applicability thereof may however be decided upon by national data protection authorities. The ECJ also said that even within the SCCs a data flow must be stopped if a US company falls under the surveillance law. Thus, data transfers to the US to IT companies, such as Microsoft, Apple, Google or Facebook cannot even happen through under SCCs.

Among others, the implications of this judgement will see thousands of US companies facing restrictions on storing information about EU citizens on their servers in the US. This may also include those companies hosting websites in the US through which data on EU citizens is being captures and stored on a US based server.

If you have a processor in the US make sure that they don’t rely on the Privacy Shield to process the data. Such processing should be carried out under Data Processing Agreements which include non-negotiable SSCs. This is not enough if your processor falls under the US surveillance law.