EU Declares the EU-US Data Protection Shield Inadequate: Immediate Consequences for Businesses Transferring Personal Data to the USA and Other Countries


Your contacts

On the 16 July 2020, the Court of Justice of the European Union (“CJEU”) finally rendered its long-awaited judgement in the Case C-311/18, Data Protection Commissioner v Facebook Ireland & Schrems (“Schrems II”) on the validity of Standard Contractual Clauses (“SCC”) as a transfer mechanism for transferring personal data from the EU/ EEA to third countries under the General Data Protection Regulation (“GDPR”). In its decision, the CJEU considers that the Commission Decision 2010/87 on standard contractual clauses is valid. However, in its decision, the CJEU also ruled on the adequacy provided by the EU-US Data Protection Shield and invalidated the protection afforded by this Decision.

Swiss data protection law also uses the protection of the SCCs and the Privacy Shield as mechanisms for data transfers. Both in Switzerland and the EU many businesses rely heavily on the SCCs and the Privacy Shield for their data transfers to countries outside of the EU/EEA or Switzerland. As a result of the CJEU’s judgement, businesses will need to take immediate action or be in breach of data protection laws. Find out in our blog what this landmark decision from the CJEU means for your business.

1. What has happened so far?

Max Schrems is a privacy activist who is concerned about the cooperation between US companies and US intelligence agencies, particularly about Facebook sharing personal data of EU residents with the US National Security Agency. The fundamental argument before the CJEU has been the alleged power of the US to carry out mass surveillance of EU residents’ personal data without justification. These concerns led to the Schrems I case and the invalidation of the Safe Harbour Framework in 2015. This framework was a mechanism that legitimised data flows from the EU to the US. Max Schrems then challenged the validity of the SCCs and the Privacy Shield in the Schrems II case, using a similar argumentation as in the Schrems I case.

In December 2019, the CJEUs Advocate General (“AG“) Henrik Saugmandsgaard released a non-binding opinion on the Schrems II case, in which the AG stated that the SCCs generally provide sufficient protection for personal data. Notwithstanding this, the AG also raised concerns whether the Privacy Shield as an alternative transfer mechanism under the GDPR is sufficient under GDPR.

Although the AG stated that the SCCs are a valid transfer mechanism, he also suggested that new obligations for those using the SCCs should be implemented. In particular, he proposed that they need to examine the national security laws of the country of the data importer to determine whether the data importer can comply with the terms of the SCCs.

Against this backdrop, the CJEU released its decision in the Schrems II case on 16 July 2020.

2. What does the CJEU decision say?

In short, the CJEU comes to the conclusion that the SCCs are valid as such, but that parties to SCCs are obliged to ensure that they are able to meet the level of protection provided for in the SCCs. The EU-US Data Protection Shield on the other hand does not provide sufficient guarantees for data transfers and is therefore invalid.

2.1. Decision 2010/87 on Standard Contractual Clauses

When evaluating the validity of Commission Decision 2010/87 on the SCCs, the CJEU stated that the validity of that decision is not called into question by the mere fact that the SCCs do not bind the authorities of the third country to which data may be transferred. However, that validity depends on whether the decision includes effective mechanisms that make it possible to ensure compliance with the level of protection required within the EU by the GDPR. The CJEU made it clear that the transfer of personal data pursuant to SCCs must be suspended or prohibited in the event of the breach of the provisions in the SCCs or if it is impossible for the data importer to honour its obligations under the SCCs.

The CJEU stressed that in its opinion the SCCs establishes mechanisms that can ensure the same level of data protection as required in the EU by GDPR. However, the court highlights that the decision on the SCCs puts an obligation on the data exporter and the data importer to verify prior to any transfer, whether the relevant level of data protection is respected in the third country to which data is exported. Furthermore, the CJEU reads into the SCCs an obligation on the data importer to inform the data exporter of any inability to comply with the SCCs. If the data importer is not able to comply with the SCCs, the data exporter has to suspend the transfer of data immediately and/or to terminate the contract with the data importer at the next possible opportunity.

2.2. Decision 2016/1250 on the EU-US Data Protection Shield

With regard to the validity of the EU-US Privacy Shield, the CJEU holds that the fact that the requirements of US national security, public interest and law enforcement have primacy, clashes with the requirements from GDPR guaranteeing respect for private and family life, personal data protection and the right to effective judicial protection. In particular, the CJEU stated in its decision that even though US law includes requirements with which the US authorities must comply when implementing their surveillance programmes, the provisions do not grant data subjects actionable rights against the US authorities before the courts. The CJEU stated that contrary to the position taken in the Commission Decision on the Privacy Shield the Ombudsperson mechanism does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law. Based on this and other arguments, the CJEU invalidated the Decision 2016/1250 on the EU- US Data Protection Shield.

3. What does this decision mean for my business?

For businesses in the EU and businesses in Switzerland that are subject to GDPR, this means that for data transfers to the USA, they are left in an impossible situation. According to the CJEU decision, they will have to opt for another data transfer protection mechanism than the Privacy Shield, for example Binding Corporate Rules for group internal transfers. For non-group internal transfers, the strict interpretation of the court decision would be that a lawful data transfer to the USA is no longer possible.

The Swiss-US Privacy Shield is not directly affected by the CJEU decision and so remains in force for the time being. However, it is very likely that it will also be declared invalid and so Swiss business relying upon it for transfers of data to the USA should take action now to put in place alternative protections.

For businesses working with SCCs, this decision clarifies the obligations of the data exporter and the data importer when using the SCCs as a transfer mechanism. So far, many entities have simply signed SCCs as a formality without making any further enquiries into the data protection law of the country to which they are transferring their data. With this decision of the CJEU, this pragmatic business approach brings major legal risks. The CJEU defined the following obligations, all of which have to be fulfilled when using SCCs:

  • The data exporter has to verify, prior to any transfer, whether the relevant level of data protection is respected in the third country to which data is exported.
  • The data importer of a data transfer has to inform the data exporter of any inability to comply with the standard data protection clauses.
  • If the data importer is not able to comply with the SCCs, the data exporter has to suspend the transfer of data and/or to terminate the contract with the data importer.

From now on, businesses in the EU, and likely also in Switzerland, will have to pay closer attention to the precise terms of SCCs and make sure that they really live by them, and not just on paper. At this stage, it is difficult to see how data importers in many countries will be able to meet their obligations under the SCCs and so how data can be transferred to those countries at all.

If you are unsure whether you have to change the mechanisms for data transfers in your business, please reach out to us. We would be happy to discuss with you what the decision may mean for your business.


Share post



most read


Highlights

MLL Legal

MLL Legal is one of the leading law firms in Switzerland with offices in Zurich, Geneva, Zug, Lausanne, London and Madrid. We advise our clients in all areas of business law and stand out in particular for our first-class industry expertise in technical-innovative specialist areas, but also in regulated industries.

MLL Meyerlustenberger Lachenal Froriep

Newsletter

Much is still unclear in relation to liability questions around AI tools.

Read our latest post about “Liability during the Lifecycle of an AI Tool” and download our white paper.

Show article.

Our Story

MLL Legal is a leading Swiss law firm with a history that dates back to 1885. The firm has grown both organically and by means of strategic mergers, the latest of which took place on 1st July 2021 between Meyerlustenberger Lachenal and FRORIEP.

The merger establishes MLL Legal, a combined new entity as one of the largest commercial law firms in Switzerland with 150 lawyers in four offices in Switzerland and two offices abroad, in London and Madrid serving clients seeking Swiss law advice.

Our firm has a strong international profile and brings together recognised leadership and expertise in all areas of law affecting commerce today, with a focus on high-tech, innovative and regulated sectors. 

About us

Publications

Click here for our latest publications

COVID-19

Read all our legal updates on the impact of COVID-19 for businesses.

COVID-19 Information

Job openings

Looking for a new challenge?

Our talented and ambitious teams are motivated by a common vision to succeed. We value open and straightforward communication accross all levels of the organisation in a supportive working environment.

Job openings

Firm News

Click here for our latest firm news.

Our Team

The regulatory and technological landscape continually require businesses to adapt and evolve.
Our 150+ lawyers are continuously innovating and striving for improvement in everything they do. We embrace new ideas and technologies, combining our wealth of expertise with creative thinking and diligence. With our hands-on approach, we implement viable solutions for the most complex legal challenges.

Our Team.

LexCast – the podcast series by MLL NexGen

Smart legal education on the go. The LexCast hosted by MLL NexGen provides legal insights in a short format that allows listeners to educate themselves on and about legal issues wherever they are and whenever they find the time.

Listen to our podcast series – stay tuned.

MLL Legal on Social Media

Follow us on LinkedIn.