The recent judgement of the European Court of Justice (CJEU) invalidating the EU-US Privacy Shield raised several questions concerning international personal data transfers. Companies who normally transfer personal data to the U.S. and use U.S.-based service providers are asking themselves: are we still allowed to do this? If not, what should we do now? In this short article we will explain the judgement of the CJEU and the current situation.
1. What exactly was the CJEU’S ruling in relation to the Privacy Shield?
It is recalled that the Privacy Shield Framework was a mechanism to facilitate personal data transfers from the EU to the U.S. Based on the Privacy Shield Framework U.S. companies could self-certify themselves and in this regard, the European Commission recognized that the U.S. provides an adequate level of protection for personal data transferred to those companies. This meant that for such data transfers no further guarantee was required.
In his judgement however the CJEU found that the Privacy Shield mechanism does not provide adequate protection to personal data transferred to the U.S. therefore considered it as invalid.
The reason for this is that the U.S. domestic law and in particular certain programmes enabling access by U.S. public authorities to personal data transferred from the EU to the U.S. for national security purposes, offers limited protection to data subjects and does not grant actionable rights before the courts against US authorities.
2. What was the CJEU’ ruling in relation to SSCs?
Standard contractual clauses (SSCs) are data protection clauses approved by the European Commission which parties can enter into to regulate a transfer of personal data from within the EU to any non-EU country.
The CJEU examined the SSCs under which EU-based data controllers can transfer personal data to non-EU based data processors. In this regard, the CJEU found that SCCs establish effective mechanisms that make it possible to ensure compliance with the level of protection required by EU law.
This does not mean however that entering into such SSC will make the data flow legitimate. Indeed, before any data transfer from the EU to a non-EU recipient takes place, the parties shall verify whether the non-EU country meets the level of protection required by EU law. If this is not the case the data transfer cannot take place. Further, if the non-EU processor informs the EU data controller of any inability to comply with the SCCs, the latter must suspend the data transfer or terminate the contract.
3. Then what about our data transfers to the U.S. based on the Privacy Shield?
The CJEU’s judgement means that personal data transfers to the U.S. which are based on the recipient company’s certification under the Privacy Shield are illegal.
It shall be pointed out that the CJEU has invalidated the Privacy Shield Framework without maintaining its effects which means that there is no grace period with regards to such data transfers.
To sum up, if your company is transferring personal data to U.S. based on the Privacy Shield Framework, including that you are using an U.S.-based service provider who stores the transferred personal data in the U.S., you would need to check whether you can do so based on another legal basis.
4. Can we transfer personal data to the U.S. based on SSCs?
Such other basis could be the SSCs which are still valid. However, you must consider that the CJEU also ruled in his judgement that any company that uses the SCCs is required to assess the laws of the country to which data is being transferred to determine if those laws sufficiently protect personal data.
You must remember that the CJEU ruled in relation to the Privacy Shield that the U.S. law does not provide adequate protection to personal data transferred to the U.S. Therefore, it would be highly doubtful that data transfer to the U.S. based alone on the SSCs were legal. However, if you put certain supplementary measures in place, data transfers could still be legal. What those supplementary measures can be is still a question, the European Data Protection Board (leading the EU data protection authorities) envisaged to provide guidance in this regard.
Nevertheless, if it is your final conclusion is that appropriate safeguards would not be ensured, you should stop transferring personal data to U.S. In case if despite this conclusion, you intend still to transfer data to the U.S., you must notify the competent data protection authority.
5. What about other exceptions?
It is true that even without an adequacy decision or the appropriate safeguards (like the SSCs) in certain cases you are allowed to transfer personal data to non-EU countries.
This is the case when the data subject explicitly consented to the data transfer after having been informed about the risk or if the transfer is necessary for the performance of a contract concluded with the data subject. Another exception is if the occasional data transfer is necessary for the legitimate interests of the controller, if these are not overridden by the data subject’s interests.
However, we warn against using such exceptions for mass data transfers as it will always be decided on a case-by-case basis whether the conditions were fulfilled or not which could jeopardize the lawfulness of the data transfer.
The CJEU decision put companies transferring personal data to the U.S. in a difficult position. If you are transferring personal data to non-EU countries, especially to the U.S. we advise you to conduct a review on your data transfer activities and assess the adequacy of your data transfer mechanisms. In case you were transferring personal data to the U.S. based on the Privacy Shield Framework, you shall find another valid legal basis or, failing this, as a last resort, stop your data flows to the U.S.
© International Law Firms 2016-2017 All rights reserved.
3, Montée de Clausen, L - 1343 Luxembourg
Luxembourg Commercial Register Number F-9208.