21 Jul 2020 | Data Protection

CJEU declares Privacy Shield invalid

By decision of 16 July 2020 (C-311/18), the European Court of Justice (CJEU) declared the EU-US Privacy Shield, which was the basis for a GDPR compliant transfer of personal data of EU citizens for numerous US service providers, to be invalid. The decision makes it necessary for all internationally acting companies, but also for companies simply working with service providers outside the EU, to closely review all data transfer to third countries, in particular to the USA, for GDPR compliance.

By decision of 16 July 2020 (C-311/18), the CJEU declared the EU-US Privacy Shield, which was the basis for a GDPR compliant transfer of personal data of EU citizens for numerous US service providers, to be invalid. The decision also raises questions regarding the use of the standard data protection clauses adopted by the Commission (“Standard Data Protection Clauses”) for safeguarding an adequate level of data protection when transferring data to  third countries, such as the USA, and clarifies that the mere execution of the Standard Data Protection Clauses can no longer be considered a guarantee for GDPR compliance. The decision thus makes it necessary for all internationally acting companies, but also for companies simply working with service providers outside the EU, to closely review all data transfer to third countries, in particular to the USA, for GDPR compliance. 

Background of the decision

The GDPR protects the personal data of EU citizens not only within the European Union. The GDPR also requires that personal data may only be transferred to countries outside the scope of the GDPR (so-called third countries) if an adequate level of data protection comparable to the GDPR is safeguarded in these third countries. For a number of countries this adequate level of data protection has been positively established by a Commission adequacy decision. Until now, this also applied to the USA, with the particularity that the adequacy decision did not apply per se to the entire USA, but only to companies that had certified themselves according to the rules of the EU-US Privacy Shield negotiated between the USA and the EU and had thus been subject to the provisions of this agreement. The EU-US Privacy Shield followed up to the so-called "Safe Harbor Agreement" in 2016, which the CJEU declared invalid in its ruling of 6 October 2015 (C-362/14) due to incompatibility with European data protection standards. 

As an alternative to such an adequacy decision, the GDPR provides for further mechanisms safeguarding an adequate level of data protection. A particularly important alternative in practice are the Standard Data Protection Clausesof the European Commission which are concluded directly between the data-exporting company and the data importing company. 

The decision 

In its decision of 16 July 2020, the CJEU now also declared the adequacy decision on the EU-US Privacy Shield to be invalid, thus depriving a high number of current data transfers to the USA of their legal basis. As regards the Standard Data Protection Clauses, the decision also contains statements which call into question the suitability of this instrument for ensuring an adequate level of data protection with regard to data transfers to the USA. 

Towards the EU-US Privacy Shield, the CJEU concludes that the adequacy decision regarding the Privacy Shield cannot be reconciled with the standards established by the GDPR, in particular because it does not proportionately limit the rights of access to personal data granted by US law to the US security authorities, nor does it provide the data subjects with an effective legal remedy for taking action against unlawful interference by US authorities. 

As a result, the adequacy decision on the EU-US Privacy Shield was declared invalid, so that on this basis a lawful data transfer to the US is no longer possible. 

In contrast, the CJEU explicitly confirmed, in relation to the Commission's decision on the Standard Data Protection Clauses, that the legal assessment had not revealed any evidence which might affect the validity of the decision. The Standard Data Protection Clausesthus remain as a potential basis for data transfers to third countries. However, also with regard to the Standard Data Protection Clauses, the judgment states that the assessment of whether an adequate level of data protection exists on the basis of the Standard Data Protection Clauses depends both on the contractual obligations and on whether the legal system of the third country safeguards an adequate level of data protection, in particular with regard to access to data by public authorities. At the same time, the court clarifies that it is the responsibility of the data processing companies to verify whether the data importing company is legally in a position to comply with the contractual obligations at all and, in case of doubt, to suspend the data transfer. 

Furthermore, the CJEU imposes an obligation on national data protection supervisory authorities to verify actual compliance with the contractual obligations stipulated by the Standard Data Protection Clausesand to intervene if these obligations cannot be met. 

Consequences of the decision 

The decision concerns not only data transfers to the US, but all data transfers to third countries for which no adequacy decision by the Commission exists. 

Individual agreements between the companies involved, Binding Corporate Rules and Standard Data Protection Clausescan still be used as a basis for GDPR compliant data transfers to third countries. However, in the future, more attention should be paid to whether the legal requirements at the data importer's place of business permit compliance with the agreed data protection rules. As in compliance with the CJEU decision, the competent data protection supervisory authorities will also put a closer focus on this, itis to be expected that European authorities develop a common position with regard to specific third countries in order to ensure uniform application of the law and greater legal certainty. 

What to do now 

  • While it is to be expected that the European data protection authorities will soon take a position on the CJEU decision, immediate action is required, as there is no transition period.
  • Any data transfer based solely on the EU-US Privacy Shield has been illegal since the decision and should be suspended immediately until an alternative basis for data transfers to the US is found.
  • In case of a data transfer based on contractual arrangements, such as the Commission's Standard Data Protection Clausesit should be examined whether the contractual obligations stipulated in such arrangement can be met subject to the legal requirement in the respective third country. In any event, it may be an option to meet the concerns of the CJEU by means of additional contractual provisions for a transitional period until a coordinated position of the data protection authorities emerges.
  • If necessary, a data transfer can also be carried out on the basis of one of the exemptions under Article 49 GDPR, in particular on the basis of express consent, whereby the legal requirements for effective consent must be complied with, unless another exception applies. 

Not least because of the clear call for action which the CJEU directed to the competent data protection supervisory authorities in its decision, the practical relevance of the ruling should not be underestimated.