Shrems II – The End of Privacy Shield
On 16 July 2020, the Court of Justice of the European Union (CJEU) issued its long awaited judgement in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (commonly referred to as Shrems II).
The Decision
The judgement has two implications. The first is the that Standard Contractual Clauses (SCC) remain valid for the transfer of personal data outside the European Union (EU). SCCs are used to enforce appropriate safeguards for transfer of data outside the territorial scope of the General Data Protection Regulation (GPDR), which only includes EU member states.[1] This aspect of the CJEU’s judgement changes very little.
The judgement’s second implication is that Privacy Shield is invalid. Privacy Shield is an agreement between the European Commission, Swiss Government and US Government to provide a mechanism for compliance with the GDPR for personal data hosted on servers in the United States.[2] The judgement means that for the over 5000 organisations using Privacy Shield,[3] their data protection arrangements are no longer compliant with the GDPR.
The court reasoned that the domestic surveillance regime in the US did not offer adequate protection for the fundamental rights of EU citizens.
In the view of the Court, the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country, which the Commission assessed in Decision 2016/1250, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.
What are the Implications of the Decision?
As a result of the CJEU’s judgement, several organisations, including Facebook (one of the respondents in the case), will be required to reconsider their trans-Atlantic transfer of personal data.
This could mean that some of the organisations impacted by the decision decide to store the personal data of EU citizens within the community. This arguably achieves one of the GDPR’s objectives to protect the sovereignty of EU citizen personal data.
As with Safe Harbour (the predecessor to Privacy Shield), the Commission and US Authorities are likely to establish a replacement mechanism.
[1] ‘COMMISSION DECISION of 5 February 2010 on Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries under Directive 95/46/EC of the European Parliament and of the Council’ (2010) <https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32010D0087&from=en>.
[2] ‘PRIVACY SHIELD OVERVIEW’ <https://www.privacyshield.gov/Program-Overview>.
[3] ‘Privacy Shield List’ <https://www.privacyshield.gov/list>.