Author: Jon Belcher
The Court of Justice of the European Union has today (16 July) given its judgment in the latest round of the long-running dispute between Facebook and the privacy rights campaigner, Max Schrems. It is likely to have significant implications for international transfers of personal data.
The case involved the validity of the transfer of personal data from the EU to the US. The General Data Protection Regulation, like its predecessor the 1995 Data Protection Directive, contains a broad prohibition on the transfers of personal data outside the EU. However, this prohibition can be overcome in various ways. The most popular are where the transfer is to a country which the European Commission has decided gives adequate protection to personal data (a so-called 'adequacy decision'), or where the data exporter and the data importer agree to a contract containing European Commission approved standard contract clauses (SCCs). Both of these methods were under scrutiny in this case.
It was a case brought by Mr Schrems which led to the ruling in 2015 that the previous 'Safe Harbor' framework for data transfers to the US did not offer adequate protection for individuals in Europe. The latest case has moved on to consider the validity of the replacement for Safe Harbor, the EU/US Privacy Shield, which in reality is a partial adequacy decision for certain companies in the US, as well as the use of SCCs. Mr Schrems argued that neither the EU/US Privacy Shield nor the SCCs offered adequate protection to his data once it had been transferred to the US.
International data transfers
In the most eye-catching part of the judgment, the Court ruled that the EU/US Privacy Shield does not offer appropriate safeguards for data protection, because of the US government's wide powers to collect and review personal data held in its jurisdiction. Accordingly, the Court has annulled the adequacy decision in respect of the EU/US Privacy Shield. Data transfers under that framework will no longer be valid. As with the similar ruling in 2015 in respect of Safe Harbor, the EU Commission and US authorities may try again to find a replacement scheme, but this appears increasingly difficult, particularly with the existing US administration.
Court upholds the use of SCCs
Perhaps more importantly, however, the Court also ruled on the use of SCCs. To the relief of many businesses, the Court upheld the use of SCCs as a means of validating transfers outside the EU. But in doing so, the Court emphasised that putting in place SCCs alone is not enough to ensure adequate protection. Instead, data exporters must also consider the legal context in the recipient country. Where the laws of the recipient do not provide adequate protection, the use of SCCs is not enough, and the data exporter must not transfer the data.
So what does all of this mean? Businesses that export personal data to the US using the Privacy Shield framework will need to immediately assess the situation to determine what steps to take to validate the data transfers. The use of SCCs should also be reviewed.
This decision means that international data transfers are likely to become subject to much greater scrutiny and will potentially become more difficult. And with the UK leaving the post-Brexit transition period at the end of 2020, data transfers between the EU and the UK will become subject to these rules.
Now is the time for businesses to be reviewing their international data flows. Our data protection specialists are able to assist where required.