ECJ invalidates Privacy Shield – future of data transfer to the US uncertain

In its ruling of 16 July 2020 (C-311/18), the European Court of Justice declared the Privacy Shield decision of the EU Commission invalid. This decision concerns the agreement of the same name on the transfer of personal data to the USA, which the Commission concluded some four years ago after the failure of the Safe Harbor Agreement. Both cases were triggered by complaints by Austrian data protection activist Max Schrems against the transfer of data by Facebook Ireland to Facebook servers in the USA. In conctrast, the ECJ considers the standard contractual clauses also submitted for review to be generally permissible.

Data transfer to third countries requires a legal basis. In practice, this mainly concerns adequacy decisions under Article 45 of the GDPR, by which the Commission certifies an adequate level of data protection to a third country, and appropriate safeguards under Article 46 of the GDPR, in particular standard contractual clauses.

Under the Privacy Shield Agreement, the United States had given assurances on the protection of personal data, which the Commission declared sufficient in an adequacy decision. As a result, data could be transferred to US companies that had undertaken to comply with the Privacy Shield rules. The ECJ considers the protective measures under the Privacy Shield to be insufficient. In particular, the court takes into account the extensive access possibilities – depending on the recipient – of US authorities to data stored in the USA and the lack of equivalent legal remedies. A data transfer on the basis of the Privacy Shield is therefore inadmissible.

The ECJ considers the standard contractual clauses approved by the Commission to be suitable safeguards in principle. At the same time, however, the Court makes it clear that agreeing on standard contractual clauses alone is not sufficient, but that each individual case needs to be reviewed to determine whether an equivalent level of protection is actually guaranteed in the recipient state. This obligation primarily applies to the controller who is transferring data to a third country. If necessary, additional safeguards must be agreed.

Data transfers on the basis of standard contractual clauses – especially to the USA – are thus not prohibited across the board, but must be subject to critical examination. The German supervisory authorities have announced a coordination to ensure uniform application of the legal framework. The outcome is expected in the coming months. However, companies should already now identify, review and, if necessary, adjust the data flows and transfer mechanisms affected by the decision.