Today was the day that privacy pros were waiting for — the decision of the Court of Justice of the European Union (CJEU) on what has come to be known as ‘Schrems II’. The case was a complicated one that involved Ireland and Facebook. A full press release about Schrems II details the decisions made and covers probably more than you would want to know.
The outcome of the court’s decision was that Privacy Shield was held to be invalid.
What is Privacy Shield?
For those of you who are unaware, Privacy Shield is a scheme that was agreed upon by the EU Commission and the US Department of Commerce to facilitate the transfer of personal data between the EU/EEA and the US. It involved a US company agreeing to a set of principles and the scheme was managed by the US Dept of Commerce. A company that had self-certified under Privacy Shield could transfer data back and forth across the pond without any other data transfer safeguards.
What were the court’s reasons for their decision to declare Privacy Shield invalid?
The Court held Privacy Shield to be invalid because, in their words, “the limitations on the protection of personal data
arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.” In other words, the Court said that the US law on surveillance and the access and use of personal data by the US authorities does not provide the appropriate level of protection of personal data as we have in the EU and UK.
What is the result of Privacy Shield being declared invalid?
The result of Privacy Shield being declared invalid is that recipients of personal data in the US will need to conduct a review to see if they are subject to obligations under relevant US surveillance laws. If they are, they can’t use Standard Contractual Clauses (SCCs) to transfer data either, because the US authorities will still be accessing the data, regardless of the transfer mechanism. However, US companies that aren’t subject to surveillance laws can use SCCs.
Fortunately, the Court didn’t declare Standard Contractual Clauses to be invalid as well. Standard Contractual Clauses are just that — contracts that were written by the EU Commission and are agreements between the data exporter and the data importer about how the personal data will be secured and how the rights of the data subject will be upheld.
How did the US Department of Commerce respond?
The US Department of Commerce issued a statement which said, “While the Department of Commerce is deeply disappointed that the court appears to have invalidated the European Commission’s adequacy decision underlying the EU-U.S. Privacy Shield, we are still studying the decision to fully understand its practical impacts.”
How did the ICO respond?
The ICO issued a full statement as well, which stated: “The ICO is considering the judgment from the European Court of Justice in the Schrems II case and its impact on international data transfers, which are vital for the global economy. We stand ready to support UK organisations and will be working with UK Government and international agencies to ensure that global data flows may continue and that people’s personal data is protected.”
The ICO issued an updated statement on the 27th of July 2020:
“Further work is underway by the European Commission and EDPB to provide more comprehensive guidance on extra measures you may need to take. In the meantime, you should take stock of the international transfers you make and react promptly as guidance and advice become available.
How did the European Data Protection Board respond?
The EDPB released a full statement recommending that “you must conduct a risk assessment as to whether SCCs provide enough protection within the local legal framework, whether the transfer is to the US or elsewhere. The receiver of the data may be able to assist you with this.”The UK government’s response was this: “The UK government is reviewing the details of the judgment. It remains committed to supporting UK organisations on international data transfers.”
The UK government’s response
was this: “The UK government is reviewing the details of the judgment. It remains committed to supporting UK organisations on international data transfers.”
Introducing the Trans-Atlantic Data Privacy Framework
In the time Since Privacy Shield was brought to end, the EU and US reached a new agreement in March 2022 to implement a framework to replace the Privacy Shield. Known as the Trans-Atlantic Data Privacy Framework, it promises to address concerns raised during the Schrems II case and ensure the privacy of all data transferred between both parties.
Need help with international data protection?
At Sapphire Consulting, we have our finger firmly on the pulse of all things data security-related. Our legal expertise and straightforward advice ensure you remain compliant every step of the way – regardless of the current legislation.
To take firmer control of your organisation’s data protection adherence, get in touch with us today.