In its long awaited judgment in the Schrems II case, the ECJ has this morning invalidated the EU-US Privacy Shield citing the “limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities” in respect of personal data transferred from the European Union to the United States on the basis that such limitations do not provide the protections ensured under EU law. The ECJ’s concerns centered around certain US surveillance programs which are not limited to what is strictly necessary and EU data subjects not having effective rights of enforcement against US authorities under US laws.
What makes this judgment more interesting is that while the ECJ has upheld the per se use of EU Commission-approved Standard Contractual Clauses (SCCs) for data transfers from the European Union to third countries, with the reasons cited for the invalidation of the EU- US Privacy Shield, it has in effect questioned the use of SCCs for data transfers from the European Union to the United States, at least in certain circumstances. In line with the European Data Protection Board’s (EDPB) submissions and the Advocate General’s opinion, the ECJ highlights that it is for the data exporter and importer to determine whether the use of SCCs is appropriate. Unless parties are satisfied that the importing party can comply with its obligations under the SCCs taking into account the country in which the importer is based, transfers made pursuant to the SCCs should be suspended. When a complaint is made to a supervisory authority with regards to use of SCCs in any specific situation, it will be for such supervisory authority to determine whether the use of SCCs in that particular arrangement was appropriate, taking into account the protection of personal data provided by, and rights afforded to data subjects to under, the laws of the country into which the data is transferred. In light of the complaint made by Schrems in respect of the use of SCCs by Facebook Ireland for transfers of data to the United States, the Irish Data Protection Authority (IDPA) will now have an unenviable task to determine whether Facebook Ireland’s use of SCCs for such transfers is appropriate. With a large number of US companies having their European base in Ireland, and the ECJ’s views on certain US surveillance programs and its determination that data subjects do not have effective and actionable rights in US courts against authorities in the United States, the IDPA will have to tread carefully on the position it now takes on the use of SCCs by Facebook Ireland. In light of ECJ’s judgment today, will data exporters be opening themselves up to data subject claims and regulatory scrutiny by using SCCs for transfers of data to the United States? It’s a question every data exporter must ask as they reassess their use of SCCs. Trans-Atlantic transfers are heading into uncertain times; it remains to be seen how the EU regulators will react to this judgment and whether the UK will deviate from Europe in its approach to data transfers in the post BREXIT era as it negotiates a trade deal with the United States.