The Court of Justice of the European Union (CJEU) has ruled that the European Commission’s decision under which EU citizens’ personal data can be transferred safely to the US (the so-called EU-US Privacy Shield) is invalid. The Privacy Shield framework was designed by the US and the EC to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the EU and to the US. The CJEU ruling will have a major disruptive impact on the flow of transatlantic data.
The court in its judgement in the long-running case between the Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (case C-311/18) found that the Privacy Shield does not give sufficient protection of EU citizen’s personal data and invalidated the EC’s decision 2016/1250.
Mr Schrems, an Austrian privacy activist, argued that some or all of his personal data was transferred by Facebook Ireland to servers belonging to Facebook Inc that were located in the US, where it underwent processing. Mr Schrems lodged a complaint with the Irish Data Protection Commission seeking, in essence, to prohibit those transfers. He claimed that the law and practices in the US did not offer sufficient protection against access by the public authorities to the data transferred to that country.
The CJEU said in a statement that: ‘… the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country, which the Commission assessed in Decision 2016/1250, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.’
Members can access the court ruling by clicking here.
As part of the case, the CJEU also considered the EC’s decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries which it ruled as valid. This means that transfers of data to the US are still valid where binding corporate rules (BCRs) or standard contractual clauses (SCCs) are used.
BIBA members’ compliance and regulation queries should be directed to: [email protected].