With the decision no. Cā311/18 (Data Protection Commissioner v Facebook Ireland and M. Schrems) issued on 16 July 2020, the Court of Justice of the European Union ruled on the transfer of personal data and confirmed such uncertainty. In particular, the Court:
- Declared the invalidity of the European Commission's implementing decision no. 2016/1250 (EU-US Privacy Shield – Privacy Shield) governing the transfer of personal to the U.S.;
- Clarified that European Commission's Standard Contractual Clauses (SCCs) for the transfer of personal data are valid and binding subject to a review of local applicable legislation's of the foreign countries where personal data are transferred.
Companies should check the ways they transfer personal data to third countries in order to avoid potential risks.
1. The reasons for the invalidity of the Privacy Shield
In the decision under review, the Court highlighted that the principles and rules under the Privacy Shield are subject to limitations for national security, law enforcement and other public interest purposes.
Consequently, organisations under the Privacy Shield are entitled to disregard the relevant provisions to the extent that they interfere with the above-mentioned purposes. This could affect fundamental rights of the person whose personal data are transferred from the European Union to the U.S.
These aspects had been previously analysed by the Commission before the adoption of the Privacy Shield decision. In that context, the Commission had considered that the U.S. legislation ensures an adequate level of protection for personal data transferred from the European Union to self-certified organisations in the United States under the Privacy Shield. Further, the Commission had found that the interference with individuals' fundamental rights (for purposes of national security, public interest or administration of justice reasons) was limited to what was strictly necessary to achieve the legitimate objective underlying the interference and that, in any event, there were effective legal remedies against such interference (e.g., recourse to the so-called Privacy Shield Ombudsperson).
The Court takes a different view on these issues. The decision, among others, states that:
- The use of surveillance programmes is not limited to what is strictly necessary and, therefore, the relevant provisions of U.S. legislation are not such as to guarantee, in compliance with the principle of proportionality, a level of protection substantially equivalent to that guaranteed by the European Charter of Fundamental Rights.
- U.S. legislation does not recognise any effective remedy in favour of individuals whose personal data are transferred from the European Union to the United States, since the institution of the Privacy Shield Ombudsperson is not sufficient to guarantee a level of protection "substantially equivalent" to that provided by Article 47 of the above-mentioned Charter. In that regard, the Court points out that the Privacy Shield Ombudsperson is not an entity completely independent of the executive power (as designated by the Secretary of State) and he is not even expressly authorised to adopt binding decisions against the intelligence services.
Based on those findings, the Court concluded that the Privacy Shield is in contrast with Article 45 of the GDPR, read in the light of Articles 7, 8 and 47 of the Charter, and that, therefore, the Privacy Shield is – as a whole – invalid.
2. Practical implications: use of the Standard Contractual Clauses
Upon preliminary analysis, the Court's decision appears to exclude significant practical implications, since the decision confirms the validity of the SCCs as an appropriate means of ensuring an adequate level of protection for data subjects in the context of transfers of personal data to non-EU countries (in place, therefore, of the Privacy Shield, for transfers to the U.S.). Nevertheless the effects of the decision are indeed significant in relation to the transfer of data to third countries: the Court specified that SCCs are a general instrument, which must be completed taking into account the regulatory framework of the recipient country and, in particular, that, in order to ensure the effective protection of the data being transferred, economic operators are required to integrate the SCCs when the legislation of the third country does not allow the recipient to comply with SCCs.
Further, the Court pointed out that, where the data controller/processor is unable to adopt – in the foreign regulatory framework – additional guarantees (to those already provided for in the SCCs), he is required to suspend the transfer of personal data.
In this context, the practical implications of this decision are immediate and significant for two reasons:
- Firstly, data transfers from the European Union to the U.S. based on the Privacy Shield are no longer valid and, therefore, companies that have relied until now on this mechanism for the exchange of personal data should have to implement different mechanisms (e.g., SCCs, binding corporate rules);
- Secondly, in general terms (relevant for all transfers through SCCs and, therefore, not limited to the USA), the adoption of SCCs should be preceded by a risk assessment on the third country to which the data are to be transferred, in order to verify that the foreign legislation guarantee an "adequate level of protection" for the data subject of the transfer (e.g., whether the obligations under SCCs are enforceable).