In today's Schrems II decision, the ECJ overturns the "Privacy Shield", but declares Standard Contractual Clauses to be effective.
What has happened so far
For some years now, there has been a dispute about the conditions under which controllers located in the EEA may transfer personal data to the US. Since the revelations of Edward Snowden, it has become clear that US security authorities can access such data and make extensive use of this possibility. According to GDPR, personal data may only be transferred to a third country if the country in question guarantees an adequate level of data protection. If this is not the case, the controller must provide appropriate safeguards that give data subjects effective and enforceable rights in relation to their data. Such appropriate safeguards may in particular result from Standard Contractual Clauses (“SCC”) drawn up by the EU Commission.
In order to enable data transfers to the US without SCC, the EU Commission and the US government initially agreed on a certification mechanism for companies based in the US ("Safe Harbour Agreement") and the EU Commission issued an Adequacy Decision, which awarded the companies certified thereafter as having an adequate level of data protection ("Safe Harbour Decision").
Max Schrems, an Austrian lawyer, data protection activist and Facebook user, challenged the EU Commission's Safe Harbour Decision by requiring the Irish Data Protection Authority to prohibit transfers from Facebook Ireland to the parent company in the US. In its "Schrems I" ruling, the ECJ declared the Commission's Safe Harbour Decision invalid.
The US government and the EU Commission then reached an agreement on a “Privacy Shield”, which ultimately provided for a certification mechanism comparable to the Safe Harbour Agreement. The EU Commission again issued a corresponding adequacy decision. Mr Schrems also opposed this.
Today’s judgement of the ECJ
The European Court of Justice (ECJ) has now decided in its ruling of 16.07.2020 (Ref.: C-311/18; "Schrems II") that the adequacy decision of the EU Commission on the Privacy Shield is also invalid. In particular with regard to certain monitoring programmes of US services, it does not in any way indicate that there are any restrictions on the authorisation contained therein to implement these programmes.
However, the ECJ considers the SCC drawn up by the EU Commission to be valid. The court justified this decisively by stating that they provide mechanisms which could guarantee in practice that the level of protection required by EU law is observed. However, the data exporter and the recipient of the transfer would have to check in advance whether the required level of protection was maintained in the third country concerned. The recipient may have to notify the data exporter that it cannot comply with the standard safeguards, whereupon the exporter must suspend the data transfer and/or withdraw from the contract with the recipient.
EEA Companies that transfer personal data to the US should urgently review their legal basis of such transfers. For example, when cookies and other analysis/tracking tools are used on websites, personal data is often transferred to the providers of such tools in the US, which up to now has mostly been based on the Privacy Shield. In those cases, the agreement of SCC instead can provide a remedy.