The recently published ‘Schrems II.’ decision of the European Court of Justice (C-311/18) brought significant changes concerning data transfers to the United States from the EU. In its decision dated 16 July 2020, the Court invalidated the Implementing Decision (EU) 2016/1250 of the Commission on the adequacy of the protection provided by the EU-US Privacy Shield. The Court further determined that certain standard contractual clauses for the transfer of personal data to processors established in third countries offer sufficient safeguards and are still valid, even though they came into force before the General Data Protection Regulation (GDPR).
In its above decision, the Court examined the requirements of the GDPR regarding data transfers in accordance with the Charter of Fundamental Rights of the European Union, as a result of which it came to the conclusion that the Privacy Shield does not provide effective judicial remedy for the data subjects in case of investigations carried out by US intelligence agencies and that in case of data processing by such controllers, the data protection guarantees, as well as guarantees protecting the privacy and other rights of data subjects similar to those required under EU law are not necessarily respected. After the publication of the above decision, NOYB – the organization founded by Max Schrems – submitted more than 100 complaints against such controllers – relying even indirectly on the services of American service providers, such as Google or Facebook –, which still transfer personal data to the territory of the United States with regard to the Privacy Shield.
The above decision of the Court, as well as the concerning dispute regarding transatlantic data transfer is essential, since before the Schrems II decision, European data controllers only needed to check – before transferring data to the United States, e.g. for requiring the services of US social media service providers or other tech companies –, whether their partners appear on the Privacy Shield List, as well as their contractual clauses concerning privacy and data protection.
After the above decision of the Court and the uncertainty caused by it, European data controllers must be more cautious concerning their transatlantic data transfers and the use of solutions and services of their American partners and find other guarantees for their transfers, including standard contractual clauses, other appropriate safeguards, binding corporate rules or – in exceptional cases – derogations for specific situations provided by the GDPR. This is especially important in the light of the fact that it would most probably take years for the Privacy Shield to be revised or be replaced by another adequacy decision, which would hopefully provide a solid basis for transatlantic data transfers in the future.
Source of cover photo: Pixabay
