In a ground-breaking opinion issued today, the Court of Justice of the European Union invalidated the EU-US Privacy Shield Decision as a method for transferring personal data from the EU to the US. In short, the Decision was invalidated over Privacy Shield’s failure to adequately address US government surveillance activities.
Conversely, the Court upheld the use of standard contractual clauses for transfers of personal data to third countries but emphasized that the parties are under an obligation to ensure that the laws in the recipient country are sufficient. Specifically, the Court held that GDPR Article 46(1) and 46(2)(6) “must be interpreted as meaning that the appropriate safeguards, enforceable rights and effective legal remedies required by those provisions must ensure that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses are afforded a level of protection essentially equivalent to that guaranteed” in European law.
According to the Court, “the assessment of the level of protection afforded in the context of such a transfer must, in particular, take into consideration both the contractual clauses agreed between the controller or processor established in the European Union and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the personal data transferred, the relevant aspects of the legal system of that third country, in particular those set out, in a non-exhaustive manner, in Article 45(2) of that regulation.”
The Court also held that “unless there is a valid European Commission adequacy decision, the competent supervisory authority is required to suspend or prohibit a transfer of data to a third country pursuant to standard data protection clauses adopted by the Commission, if, in the view of that supervisory authority and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law . . . cannot be ensured by other means, where the controller or a processor has not itself suspended or put an end to the transfer.”
In response, the European Commission quickly issued remarks affirming its commitment to working with its American counterparts to address the Court’s decision. It also emphasized that the Commission is working to modernize the Standard Contractual Clauses.
In the United States, the Department of Commerce issued a statement stating that it was disappointed with the decision but that, while the decision invalidated Privacy Shield, it “does not relieve participating organizations of their Privacy Shield obligations.”
Ultimately, entities that engage in covered data transfers will need to reexamine their transfer mechanisms to ensure that they comply with the Court’s decision.