The European Court has today given its judgment which will come as a major blow to many businesses both in Europe and the US (particularly tech companies) which rely upon the Privacy Shield to transfer personal data to the US.
The judgment is concerned with the transfer of personal data by Facebook Ireland to its parent company in the US. Earlier this year we commented on the pre-judgment opinion of the Advocate General (“AG”) (here) which focused on the Controller to Processor Standard Contractual Clauses (“C2P SCCs”) and the fact that the AG had opined that the validity of these clauses should be upheld.
Whilst the European Court has now confirmed the validity of the C2P SCCs, it has unexpectedly found the EU-US Privacy Shield to be invalid.
Take home points
- Businesses which are currently relying on the Privacy Shield to transfer personal data to the US will need to rapidly review their data transfer practices and put in place alternative measures to allow for the data to continue to be transferred lawfully.
- The most suitable mechanism for business to business transfers will most likely be for the organisation transferring the data to enter into standard contractual clauses (SCCs) with the US recipient.
- For situations where EU consumer data is transferred to a US business providing it with goods or services, the US recipient of the data may need to look at alternative transfer mechanisms available under the GDPR, such as the GDPR’s derogations.
- As a last resort, and given the continued uncertainties around data transfers to the US, some organisations may instead seek to retain data in the EU and pursue a data localisation strategy.
- Businesses which fail to put in place alternative measures will be exposed to claims for damages and fines by data protection regulators such as the Information Commissioner’s Office.
European Court Decision
In finding the Privacy Shield to be invalid, the European Court took the view that:
- the requirements of US national security, public interest and law enforcement were put before the fundamental rights of data subjects whose personal data are transferred under the framework;
- US law provides its public authorities with far reaching surveillance powers which go beyond what is “strictly necessary” (including in respect of non-US individuals) and do not afford individuals with adequate rights to challenge the relevant authorities before the courts;
- the Ombudsman mechanism provided for under the Privacy Shield, which is designed to provide data subjects whose data are transferred under the framework with a right of recourse, does not guarantee data subjects the same protections that they would be afforded under EU law (for example, the Ombudsman does not have the power to make decisions which were binding on the US intelligence services).
As such the European Court decided that the Privacy Shield does not offer an adequate level of protection for data subjects whose personal data are transferred pursuant to it. This is the second time that the scheme for EU-US data transfers has been struck down after the Safe Harbor was invalidated in 2015.