European Court invalidates US Privacy Shield and questions blanket use of Standard Contractual Clauses

On 16 July 2020, the European Court of Justice decided, overturning the 2016 Privacy Shield Decision of the European Commission, that the US Privacy Shield did not, and does not, provide an adequate level of protection for the transfer of personal data from the EU to the US.

As a result, organisations currently transferring personal data to the US must ensure that they use an alternative legal basis to achieve adequate protection for the transfer of personal data to the US.

The Court also considered whether the Commission’s 2010 Decision (amended in 2016) that the use of specified model contractual clauses (also described as Standard Contractual Clauses or SCC) provides an adequate level protection for the transfer of personal data from the EU to third countries. Whilst the Court did not overturn the Commission’s SCC Decision, it observed that a contract between an EU data exporter and an extra-EU data importer cannot bind the public authorities in non-EU countries, and so cannot be relied upon for data export without a consideration of the laws of the non-EU country and the potential use of (not specified) ‘additional safeguards’:

“…In so far as those standard data protection clauses cannot, having regard to their very nature, provide guarantees beyond a contractual obligation to ensure compliance with the level of protection required under EU law, they may require, depending on the prevailing position in a particular third country, the adoption of supplementary measures by the controller in order to ensure compliance with that level of protection…

…It is therefore, above all, for that controller or processor to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses.”

Paras 133 and 134 of ECJ “Schrems II” Judgment

The impact of the Court’s judgment on standard contractual clauses is profound. Many organisations which currently rely on a web of EU standard contractual terms (aka model contracts) for data export around the world will be forced to reassess their arrangements and to consider what additional safeguards may be needed to ensure that personal data exported from the EU has an adequate level of protection.

Whilst the use of binding corporate rules (or BCRs) is a possibility for multi-national intra-group transfers, the process is neither quick nor easy and is of no help for data export to third parties.

As it is not the role of the Court to consider what happens next, the key question is what will the EU Commission do in response to this judgment? They will have to deal both with an angry US and businesses whose current data export arrangements are now potentially illegal.

The EU Commission’s review and update of the current SCCs (not least to update them in light of GDPR) has been on hold pending this judgment, but hopefully they will be now be able to move quickly and publish updated SCCs taking account of both this judgment and GDPR.

In the interim, organisations exporting personal data outside the EU, and to the US in particular, face uncertainty. It is likely that national regulatory bodies will issue pragmatic guidance to allow business to continue whilst the full implications of the Court’s decision are worked through. At the date of writing, ICO (UK data protection regulator) said:

“The ICO is considering the judgment from the European Court of Justice in the Schrems II case and its impact on international data transfers, which are vital for the global economy. We stand ready to support UK organisations and will be working with UK Government and international agencies to ensure that global data flows may continue and that people’s personal data is protected.”