News

Court of Justice of the European Union overturns EU-US Privacy Shield

17.07.2020

On 16 July 2020 the Court of Justice of the European Union (CJEU) invalidated the European Commission’s Implementing Decision on the EU-US Privacy Shield, without a transitional period, thus dealing a harsh blow to transatlantic data transfer.

In a no less sensational decision, the CJEU had already invalidated in 2015 the European Commission’s Implementing Decision on the predecessor to the EU-US Privacy Shield, the US/EU Safe Harbour Framework. Just a few months later, by a new Implementing Decision, the European Commission had certified the successor of the invalidated US/EU Safe Harbour Framework, the EU-US Privacy Shield, as having an adequate level of protection for the transfer of personal data to companies in the US.  However, this successor was soon subject to strong criticism.

With the recent CJEU ruling on the invalidity of this new Implementing Decision on the EU-US Privacy Shield, transatlantic data transfer is now experiencing a disastrous déjà-vu situation. According to the CJEU, the US cannot be certified as having an adequate level of data protection due to a number of US authorities having administrative access powers and a lack of legal protection options in the US for EU citizens.

The CJEU also clarified in its ruling that the EU standard data protection clauses (or ‘standard contractual clauses’) often used in practice for international data transfers are not in themselves open to criticism.

At the same time, however, in its judgment, the CJEU makes it very clear that the competent supervisory authority is obliged to suspend or prohibit any transfer of personal data to a third country based on standard data protection clauses if, in the light of all the circumstances of that transfer, the authority considers that the clauses are not or cannot be complied with in that third country. Given the critical remarks made by the CJEU on the legal situation in the US, the question therefore arises as to whether supervisory authorities should prevent data transfers to the US even if these transfers are made on the basis of the standard contractual clauses and at the same time it is clear that the specific data importers in question are subject to US law, which makes it impossible for them to comply with the standard contractual clauses. The CJEU’s ruling thus ultimately calls into question the lawfulness of the transfer of personal data to the US on the basis of standard contractual clauses as a whole.

It remains to be seen how the European supervisory authorities will position themselves in this regard. In particular, the question arises as to whether the supervisory authorities will grant companies a certain grace period in order to adapt to the new legal situation. Following the CJEU’s Safe Harbour ruling, the data protection authorities had agreed at the time on a grace period of a few months.

Initial comments from the German authorities on the CJEU’s Privacy Shield ruling suggest that in the authorities’ view, data transfers to the US may still be permitted on the basis of standard contractual clauses, at least in individual cases. For the time being, however, the standard contractual clauses are overshadowed by the sword of Damocles of an administrative complaint or even the imposition of fines. It is to be hoped that the European supervisory authorities will quickly provide clarity on this issue.

In any case, for all transfers to third countries based on standard contractual clauses (i.e. not only to the US), data-exporting companies will no longer be able to review in detail which laws apply to the data importer in the intended third country of data transfer or to any other recipients, and whether these laws undermine the guarantees they provide when signing the standard contractual clauses. To this end, it will probably be essential to analyse the specific data exports in detail and to determine which third-country laws apply. As a result, concluding standard contractual clauses in practice is likely to require significantly more effort. Whether standard contractual clauses will remain a workable solution against this backdrop remains to be seen.

We therefore recommend in particular examining carefully whether other appropriate safeguards (Article 46 GDPR) or derogations (Article 49 GDPR) could be considered as alternative solutions for transfers to third countries rather than standard contractual clauses.

 

Further reading:

 

Contact

Daniel Rücker
Daniel Rücker+49 89 28628457
Sebastian Dienst
Sebastian Dienst+49 89 28628457

Data Privacy
Digital Business

Share

Show all

Insights

hands bridge with pulse
News

EU merger control: European Commission takes stricter action against submission of incorrect, incomplete and misleading information

02.05.2024
focus with pulse
News

Role of the DMA for app developers

30.04.2024
hand touching led wall screen
News

Data Compliance Governance

16.04.2024
compass with pulse
News

Data Act – Scope, Impact, Implementation

16.04.2024
telescopes with pulse
News

Digital Markets Act: European Commission opens investigations against Alphabet, Apple and Meta

28.03.2024
LED field Data Protection Litigation
News

Update on the Data Governance Act

12.03.2024
street view with pulse
News

European data protection authorities start coordinated investigation into right of access

11.03.2024
EU Flag with Pulse
News

Digital consumer protection: current case law and European legislation

04.03.2024
container storage port
News

Update Commercial 2024

01.03.2024