Support Centre

EU: CJEU Schrems II judgment invalidates Privacy Shield Decision and provides clarifications on SCCs

Key takeaways:

  • EU-US Privacy Shield invalidated by the CJEU
  • Standard Contractual Clauses found to be valid; however, additional clarifications provided
  • Further guidance and statements expected
  • Register for our reactionary webinar at 11 AM ET / 4.00 PM BST later today here 

The Court of Justice of the European Union ('CJEU') announced, on 16 July 2020, that it had issued its judgment ('the Judgment') in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'). In particular, the CJEU declared the Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the Adequacy of the Protection provided by the EU-US Privacy Shield ('the EU-US Privacy Shield Decision') invalid, but found that nothing affected the validity of Standard Contractual Clauses ('SCCs') in light of the Charter of Fundamental Rights.

“The impact of this decision is immediate and global,” said Eduardo Ustaran, Partner and Global Co-Head of the Privacy and Cybersecurity practice at Hogan Lovells. “It goes significantly further than the invalidation of the Privacy Shield as it requires companies to bear in mind other countries' powers over data access when engaging in global data flows. This a big job.”

Specifically, and in relation to SCCs, the CJEU outlined that the assessment of the afforded level of protection must take into consideration both the contractual clauses agreed between the data exporter established in the EU and the recipient of the transfer established in the third country, as well as relevant aspects of the legal system of that third country in relation to any access by public authorities of the third country. Moreover, the CJEU held that a supervisory authority is required to suspend or prohibit the transfer of data to the third country when it believes that the protection required by EU law cannot be ensured by other means, where the data exporter established in the EU has not itself suspended or put and end to the transfer. In addition, the CJEU found that SCCs are a mechanism that, in practice, make it possible to ensure compliance with a level of protection in accordance with EU law, as well as make it possible to guarantee that the transfer of data pursuant to the clauses is suspended or prohibited in the event of a breach of such clauses, or when it is impossible to honour them.

Moreover, the CJEU examined the validity of the EU-US Privacy Shield Decision in light of the requirements of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In this regard, the CJEU found that the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the EU to that third country, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law. In particular, the CJEU noted that US public authorities' use and access of EU data were not circumscribed by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary. Furthermore, the CJEU highlighted that, in relation to the requirement of judicial protection, the Ombudsperson mechanism does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law, as it would require guarantees of both the independence of the Ombudsperson and of the existence of rules empowering the Ombudsperson to adopt decisions that are binding on the US intelligence services.

Lastly, None of your business ('NOYB') issued, on 16 July 2020, a first statement on the CJEU's judgment, outlining that organisations may also not use SCCs for the transfer of personal data, as the Irish Data Protection Commission ('DPC') must stop data transfers under this instrument.

You can read the CJEU's press release here, the Judgment here, and the NOYB's press release here.

Webinar: Live reaction to the key landmark decision on the future of international data transfers

We will host an immediate reaction and analysis with leading industry panelists on this landmark decision to understand its impact on your business and what the future may hold.

Panelists include:

  • William Long - Partner, Leader of the EU Data Protection Practice, Sidley Austin LLP
  • Caroline Louveaux - Chief Privacy Officer, MasterCard
  • Lee Parker - Director Data Privacy EU+, Biogen
  • Lara Liss - Chief Privacy Officer, Walgreens Boots Alliance
  • Monica Tomczak - Chief Privacy Officer, Prosus, Division of Naspers
  • Alan Raul - Partner, Leader of Privacy and Cybersecurity Practice, Sidley Austin LLP
  • David Longford - Global Offering Manager, OneTrust DataGuidance

Access the webinar here.