Europe’s top court has invalidated the EU-US Privacy Shield, wiping away a system set up to ensure companies could transfer personal data from the EU to the US while protecting the personal data of EU citizens in line with the GDPR and EU Charter of Fundamental Rights.
The Court’s ruling addresses two data transfer mechanisms, the Privacy Shield and the use of Standard Contractual Clauses for international data transfers. While much of the initial reaction has focused on the invalidation of the Privacy Shield, the Court’s judgment creates additional complexity for the use of Standard Contractual Clauses (SCCs) to transfer personal data from the EU to third countries and opens the door for aggressive enforcement by national regulators.
On the EU-US Privacy Shield, the Court of Justice of the European Union (CJEU) pointed to two key flaws in the framework which meant that EU citizens did not benefit from an equivalent level of data protection in the United States and EU, in line with the requirements of the GDPR. The Court noted that the provisions of the Privacy Shield allowed for disproportionate and unlimited breaches of the fundamental rights of EU citizens and did not confer EU citizens with rights which were enforceable against US authorities in court. While this conclusion is not surprising, it establishes a high bar for the US and EU to overcome if they want to create a successor system to the Privacy Shield. At first glance, it appears that any replacement would require a change in US legislation which permits personal data gathering and surveillance or a change in the surveillance activities of the US government and its agencies, excluding the data of EU citizens from surveillance and doing so in a way which would satisfy a court.
On Standard Contractual Clauses, which were the actual subject of the court case, the CJEU found that they are a valid mechanism to transfer personal data to non-EU countries, however companies and organisations using SCCs need to ensure that they comply with EU data protection law, taking into account how they use the SCCs and the local law and practices of the country to which they are transferring data. National data protection authorities have been empowered by the judgment to assess whether an individual company’s use of SCCs protects the privacy of EU citizens and to suspend of prohibit transfers where they determine that this is not the case.
This part of the judgment potentially opens the door to aggressive enforcement of the GDPR by data protection authorities at a national level and the possibility of test cases being taken against certain companies with the data protection authority then prohibiting the use of SCCs by any organization to transfer personal data to a certain third country. The GDPR has mechanisms in place for national data protection authorities to co-operate on issues which are likely to have a cross-border impact and banning the use of SCCs to transfer data to a third country certainly seems to fall into this bracket. However, national data protection authorities frequently disagree on the application and enforcement of the GDPR, especially in cross-border cases where some regulators are perceived as being slow or unwilling to act. This means that individual data protection authorities may feel the need to act quickly to prevent the privacy rights of their citizens being violated overseas.