The Court of justice of the European Union (CJEU) issued on July 16, 2020 an important ruling with regard to the data transfer regime between the European Union (EU) and the United States of America (USA) in so-called case ‘’Facebook Ireland v Schrems’’, whereby the personal data stored and processed by the United States does not meet the level of security required by the GDPR.
By this ruling, the CJEU invalidates Decision 2016/1250 on the adequacy of the protection provided by so-called ‘’ Privacy Shield’’, which allowed the transference of data between the operators from the EU and the US abide by their data protection principles without further formalities.
It declared that Commission Decision 2010/87 regarding the standard contractual clauses for the transfer of personal data to processors, established in third countries is fully valid.
What is the privacy shield?
The Privacy Shield, also known as the ‘’EU-US Privacy Shield’’, is an agreement signed in 2016 between the US and the European Union which established a framework for data protection and replaces the old framework ‘’Safe Harbor’’, which had been in force until annulled by the Court of Justice of the European Union.
The function of the Privacy Shield was based in accordance with European regulations on the protection of citizens’ privacy in data exchanges with the US. In other words, its main purpose was to ensure that North America companies collect data from European users in compliance with European data protection regulations.
Why has this agreement been invalidated?
According to the CJEU, the invalidation of this agreement results on limitations of the protection of personal data issued from the internal regulations of the United States, with affects the access and use of data that is transferred from the EU by the American authorities.
The limitations of the protection of personal data are not regulated in accordance with the requirements of European Union law, as they do not comply with the proportionality principle, unless the US surveillance programs are limited to the processing strictly necessary data.
In other words, it refers to the fact that the Privacy Shield does not provide the affected persons with any guarantee that is sufficient and substantially equivalent to those existing in European Union Law to preserve data privacy and comply with the General Data Protection Regulation (GDPR).
How does the fall of Privacy Shield affect businesses?
The CJEU ruling implies that European companies must review their data transfer and processing to identify what international transfers they make to US. Many of these data transfer occur due to the fact that they have US technology service providers. The example is very common such as SaaS and Cloud services. They will have to verify whether these companies have their servers located in Europe or in the US.
In case the servers are located in the US, it will be necessary to search for alternatives agreements that guarantee the legality of these transfers. Even though, there are the standard contractual clauses in Decision 2010/87/EU, it must be taken into account that these clauses will not be sufficient guarantees if they do not prevent of US organization from the intrusion on the data of European citizens for reason of national security or similar. Thus, it will be necessary to have additional guarantees.
In case of multinational companies that are based in the United States and make international transfers between group of companies covered by Privacy Shield, they will have to amend these transfers in accordance with specific Binding Corporate Rules (BCR) that guarantee the appropriate security levels for transferred data.
What about users?
The Privacy Shield, although still in force, remains in the background of the GDPR, as the guarantees contained in European regulations are wider and more demanding in terms of the protection of users’ personal data and international data transfers.
Since the companies must seek other options to legitimize transfers, such as the mentioned above, standard contractual clauses. The consequences for users are that it can be envisaged that these data transfers are legal with users’ consent as a way that guarantees to comply with GDPR.