On July 16, 2020, the Court of Justice of the European Union (the CJEU) in the case of Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (the Schrems Case) issued a landmark ruling invalidating EU-US Privacy Shield.
What is EU-US Privacy Shield?
According to General Data Protection Regulation (EU) 2016/679 (GDPR), when personal data is transferred to a country outside EU, special safeguards are required to ensure protection of personal data. GDPR provides different legal tools to transfer data to a third country such as:
The adequacy decision on the EU-US Privacy Shield and has been recognized as providing an adequate level of protection and allows free transfer data to companies that are certified in the US was adopted on 12 July 2016 by the European Commission. As a result, the EU-US Privacy Shield Framework (the Framework) was designed by the US Department of Commerce and the European Commission to comply with data protection requirements of EU when transferring personal data from EU to USA.
What are the facts of Schrems Case?
The case concerns Max Schrems, an Austrian privacy advocate, who filed a complaint with the Irish Data Protection Commissioner (the Irish DPA) in 2015 against Facebook Inc., an entity established in the US, challenging Facebook Ireland’s reliance on the SCCs as a legal basis for transferring his personal data to Facebook Inc. in the USA.
In effect, Mr. Schrems sought to preclude the transfer of his personal data to the US by Facebook Ireland claiming that the legislation and practices applicable in the US with regards to personal data protection do not offer sufficient protection. More specifically, it was alleged that the SCCs do not ensure an adequate level of protection for EU data subjects, and specifically as US legislation does not explicitly limit interference with an individual’s right to protection of personal data equivalent to EU data protection law.
Particularly, Mr. Schrems argued, among other things, that personal data of EU subjects might be at risk of being mass processed by the US government once transferred without ensuring a level of protection equivalent to EU data protection law and under the Charter of Fundamental Rights. More specifically, it was alleged that US law requires Facebook Inc, to make the personal data transferred to it available to certain US authorities such as the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) in the context of various monitoring programmes inconsistent with applicable EU law.
In addressing the issues raised in the Schrems case, the CJEU was asked, among other things, to examine whether the EU-US Privacy Shield framework was compliant with the GDPR.
What is the ruling of the CJEU?
Basically, the CJEU has declared the EU-US Privacy Shield Framework invalid, and consequently held that the application of US law is incompatible with the principles of necessity and proportionality enshrined in the GDPR. More specifically, the CJEU decided that the limitations on the protection of personal data arising from the national law of USA on the access and use of such data transferred from EU to USA by US public authorities are not restricted to provide equivalent protection to those required, under EU law, and the Charter such that surveillance programmes based on such national law provisions are not limited to what is strictly necessary.
Additionally, the Court reasoned that in light of the fact that U.S. law does not provide for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data, it falls afoul of the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the EU Charter and is incompatible with Article 45 of the GDPR.
Regarding the SCCs, the CJEU considered that the SCCs remain in force under strict conditions. It means that it will be the responsibility of the exporter and the importer (the controller and the processor) to judge whether the third country to which the data will be transferred offer adequate protection to decide whether to enter into SCCs or not.
When performing such prior assessment, the exporter shall take into account the context of the SCCs, the specific circumstances of the transfer, as well as the legal regime applicable in the importer’s country. These factors are non-exhaustive.
What is the significance of the CJEU ruling?
As a general remark, the Schrems ruling recognizes the merit in the concerns that have long been expressed at EU level with regards to the adequacy of protection granted to personal data under the EU-US Privacy Shield. This ruling has wider implications than USA. It affects all organizations that transfer or intend to transfer data to USA or any other third country.
It creates legal uncertainties as to which legal bases to use in the event of a data transfer to other third countries and how the transition period will be. It is still to be seen how this ruling will be implemented in practice, however, it can be said with certainty that the EU-US data protection framework will have to be revisited in a manner that ensures compliance with applicable EU data protection legislation.