CJEU judgment on data transfer to the USA
On 16 July the Court of Justice of the European Union announced its judgment in Case C-311/18 (Data Protection Commissioner/Maximilian Schrems and Facebook Ireland)
What did the Court decide?
The Court of Justice invalidated Commission Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield.
The CJEU also found that Commission Decision 2010/1250 on standard contractual clauses for the transfer of personal data outside the EEA is compliant with the GDPR, pointing out however that data subjects whose personal data is transferred to a third country pursuant to standard data protection clauses must be afforded a level of protection essentially equivalent to that guaranteed within the EU. It is therefore necessary to take into account, in addition to the contractual clauses agreed between the parties, the law of the third country to which the data is transferred. The Court holds that the contractual clauses alone may not constitute a sufficient means of ensuring, in practice, the effective protection of data transferred to a third country, in particular where the law of that country allows its public authorities to interfere with the rights of the data subjects to which that data relates.
What are the consequences of the judgment?
All entities that have previously transferred personal data to the United States based on the adequacy decision regarding the EU-US Privacy Shield, need to legalise their transfer of personal data to the US otherwise.
Importantly, although Commission Decision 2010/87 on standard contractual clauses has not been declared invalid by the Court, in the reasons for the judgment the Court emphasised that before transferring personal data to a third country, the controller and the recipient of personal data are obliged to satisfy themselves that the legislation of that third country enables the recipient to comply with the standard data protection clauses. Moreover, the data recipient is obliged to notify the controller of his inability to comply with the standard data protection clauses and of any change in legislation which is likely to have a substantial adverse effect on the safeguards and obligations provided by the standard contractual clauses.
The CJEU has not explicitly ruled against the transfer of data to the US pursuant to the standard contractual clauses, however, this seems to be the right way to interpret the judgment. The Privacy Shield was declared invalid due to the limitations on the protection of personal data arising from the fact that the law on the access to and use of data by US public authorities does not satisfy the requirements of the principle of proportionality, and due to limitations on the right to judicial protection. This would mean that also data transfers to the US based on standard contractual clauses are not allowed given that due to the applicable laws a US-based entity is unable to fulfil its contractual obligations under the standard clauses. We should wait for a final settlement of this issue in a commentary by the Personal Data Protection Office (UODO), nevertheless this interpretation seems to be likely.
What actions need to be taken?
Each transfer of data to the USA must be analysed and verified in terms of whether in a given situation there is an appropriate legal basis for the transfer of personal data, in particular with regard to the applicability of the exceptions under Article 49 of the GDPR.
Data transfers pursuant to the standard contractual clauses to countries other than the US should also be examined to verify whether the data importer will be able, given the applicable national laws, to ensure that the obligations arising from these clauses are met.