The Data Protection Commission (DPC) has strongly welcomed a decision by the European Court of Justice (ECJ) to rule that the EU-US Privacy Shield agreement, which covers the transfers of personal data from the EU, is invalid.
At the same time, however, the ECJ also upheld the use of the European Commission’s standard contractual clauses (SCCs), which are template contracts covering the transfer of data to third countries in general.
One data lawyer described the judgment as “a wake-up call” for EU businesses.
Validity
SCCs and Privacy Shield are widely used by organisations to legitimise transfers of personal data from the EU to third countries such as the US, where technology companies are legally obliged to give government agencies access to data on national security grounds.
The case, known as Schrems II, was initiated by the DPC to query the validity of SCCs, but also because it wanted “a decisive statement” from the EU’s top court on Privacy Shield.
“Today’s judgment provides just that, firmly endorsing the substance of the concerns expressed by the DPC (and by the Irish High Court) to the effect that EU citizens do not enjoy the level of protection demanded by EU law when their data is transferred to the United States,” the data regulator said.
Protection
Austrian campaigner Max Schrems had complained to the DPC that the US does not offer sufficient protection for data transferred to that country. He was seeking the suspension or prohibition of future transfers by Facebook Ireland of his personal data from the EU to the US.
As a result of an earlier case taken by Schrems, in 2015 the ECJ invalidated the EU-US Safe Harbor framework which was the predecessor to Privacy Shield.
The DPC said the latest judgment would require careful consideration in the coming days and weeks, but it was clear that its scope went far beyond Facebook and Mr Schrems.
Surveillance
On Privacy Shield, the ECJ found that the protection of personal data in the US under its domestic law did not satisfy the requirements of EU data privacy law.
“In respect of certain surveillance programmes, those provisions do not indicate any limitations on the power they confer to implement those programmes, or the existence of guarantees for potentially targeted non-US persons,” the court found.
It decided, however, that SCCs did contain effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by EU law.
This was because the company transferring the data and the recipient were obliged to ensure that the required level of protection was respected in the third country concerned, and that the data recipient was also obliged to tell the data exporter about any inability to comply with EU law.
SCCs 'questionable'
The DPC said it was clear that while SCCs were valid in principle, in practice they were now “questionable” in relation to data transfers to the US.
“This is an issue that will require further and careful examination, not least because assessments will need to be made on a case by case basis,” the data regulator said, adding that it would work with its EU counterparts to give effect to the court’s judgment.
Mr Schrems welcomed the ruling, describing it as “a total blow” to Facebook and the DPC. Facebook said it was carefully considering the findings.
Wake-up call
John Magee, head of data protection, privacy and security at DLA Piper Ireland, said the judgment had serious implications and was a wake-up call for EU businesses.
Businesses that previously relied upon Privacy Shield will have to find an alternative method, he said.
If using SCCs, however, firms will need to verify the existence of appropriate safeguards, he said, adding that the issue was likely to trigger a new round of political discussions between the EU and US.