The Court of Justice of the European Union (CJEU) has today published its decision in the landmark case, known as Schrems II. While Privacy Shield has been completely invalidated, the Standard Contractual Clauses (SCCs) remain valid, but the court has emphasised obligations on the parties to the SCCs and Data Protection Authorities which have the potential to restrict when they can be used.
Here is a very short first summary:
- Privacy Shield is invalid. This is on the basis that the access and use of EU personal data by US authorities are not restricted in a way that, according to the court, complies with the requirements of EU law. As a consequence, companies must stop data exports from the EU to the US using that export mechanism.
- Standard Contractual Clauses (SCCs) remain valid but:
- parties to the SCCs must verify on a “case-by-case basis” whether the law of the data importer ensures adequate protection for personal data, as required by EU law; and
- upon receiving a complaint from a data subject, data protection authorities (DPAs) are required to suspend or prohibit a transfer of personal data to a third country where they take the view that, in light of all of the circumstances, the SCCs are not or cannot be complied with.
We are currently considering the impact of this decision for our clients and we will be updating this blog post over the coming hours and days as our thoughts develop. However, our initial observations are as follows:
- Whilst the judgement will have ramifications for many types of data transfers, the decision is particularly problematic for transfers to the US. The decision is very critical of the lack of safeguards, effective redress and proportionality of the major US surveillance programmes. Therefore, it may be difficult to justify making transfers to the US based on the SCCs for any personal data that is likely to be of interest to US public authorities given the strength of the CJEU’s remarks.
- We expect that the European Data Protection Board (EDPB) and the DPAs will soon produce first guidance to help organisations navigate the issues arising from this decision. It seems as though this is what the CJEU envisaged. The judgement pointed out that to help “avoid divergent decisions” by DPAs, the EDPB may issue “opinions” on these matters. We may also see DPAs clarifying how they will respond in terms of enforcement and potentially providing “grace periods” to give organisations time to get to grips with the implications of the judgment.
- We think that organisations should exercise caution if they are in the process of engaging in new offshoring and outsourcing arrangements. Where possible, allow the dust to settle and avoid making any major decisions before the EDPB and the DPAs have provided their views on the situation.
- This judgement has broad applicability and could impact transfers to any other non-EEA country that has not achieved adequacy status. This will include the UK if, after the Brexit transition period, the UK has not obtained an adequacy finding from the European Commission.
Please do join us for a webinar on Thursday 23 July at 4pm BST where we will be analysing the judgement in more detail. You can register for the webinar by clicking here.