Over the summer, the Court of Justice of the European Union (CJEU) released its ruling on 16 July in Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillan Schrems (Schrems II), which invalidated the EU-US Privacy Shield. The EU-US Privacy Shield was designed by the US Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Economic Area to the United States. As a result of the Schrems II decision, the EU-US Privacy Shield framework is no longer a valid mechanism to comply with General Data Protection Regulation (GDPR) requirements when transferring personal data from the European Union to the United States. The transfer of data between the EU and the US is essential for commerce between these two regions and this decision has profound implications for data transfers between the US and the European Economic Area as more than 5,000 businesses are currently certified under the EU-US Privacy Shield.
Schrems II was brought by an Austrian privacy activist, Max Schrems, a Facebook user who challenged the legality of Facebook’s handling of his personal information under European privacy law. Schrems later filed a complaint with the Irish Data Protection Commissioner, challenging Facebook Ireland’s reliance on Standard Contractual Clauses (SCCs) as a legal basis for transferring personal data to Facebook servers in the US. The Irish Data Protection Commissioner, who investigated Schrems’ complaint, brought proceedings against Facebook. Ireland’s High Court referred these issues to the CJEU to determine the validity of the SCCs and the EU-US Privacy Shield. In the Schrems II decision, the CJEU evaluated the requirements of US national security laws, that in certain cases enables access by the US government to personal data which, according to the CJEU, results in insufficient protection of EU personal data. The CJEU noted that the Privacy Shield could not prevent access and use of personal data by US government authorities. Further, the Ombudsperson mechanism in particular does not provide substantially equivalent guarantees to those required by EU law. As a result, the CJEU found that EU data subjects do not have actionable rights before the US courts. While businesses can no longer rely upon for EU-US data transfers, the CJEU did uphold the SCCs which are still a permissible legal transfer mechanism with certain caveats. Businesses can’t simply attach SCCs to a contract and assume the data transfer complies with the GDPR. The CJEU explained that some due diligence will be required prior to any transfer of data to verify whether the law of the third country of destination ensures adequate protection.
Read more in the December issue of Lawyer Monthly as Ashley Thomas analyzes the EU-US Privacy Shield and breaks down data protection requirements, the implications for invalidation, and what this all means for U.S. companies.