Sweden: CJEU rejects Privacy Shield as Legal Basis for Processing Personal Data in the US
The European Court of Justice rejects Privacy Shield as legal basis for processing personal data in the US – and clarifies that even the standard clauses may be insufficient in some cases
On 16 July 2020, the European Court of Justice ruled in Case C-311/18 (the “Schrems II case”), which concerned Facebook’s transfer of personal data from servers in Ireland to servers in the United States. The Court concluded that personal data can no longer be legally transferred to the United States (or processed with access from the United States) on the basis that the recipient has self-certified under the Privacy Shield framework. This is because all companies in the United States, even if they are certified, are subject to legislation that gives US authorities very far-reaching opportunities to request access to personal data.
An alternative legal basis for the transfer of personal data to the United States, and also other countries outside the EU, is to sign agreements with the recipient that contain the EU Commission’s protective standard clauses. In the Schrems II case, the European Court of Justice also ruled on the EU Commission’s standard clauses. These are not rejected as a legal basis for the transfer of personal data outside the EU, but the court clarifies that they do not automatically make a transfer legal. If the conditions in the country are such that the standard clauses cannot be complied with by the recipient, they may be insufficient to ensure a legal basis for the processing of personal data outside the EU. The statements of the European Court of Justice in the judgment on the insufficient level of protection of personal data in the United States, indicate that a transfer to the United States on the basis of the model clauses can also be considered unauthorised.
What are the consequences of the verdict?
The ruling is expected to lead to intensified discussions between the EU and the US on how personal data can be processed in the US, with a sufficient level of protection according to the GDPR.
The ruling means that anyone who today allows personal data to be processed in the United States with the support of the Privacy Shield, must secure another legal basis.
As the Court finds that the EU Commission’s standard clauses may be insufficient to transfer personal data to certain countries, alternatives to the standard clauses may need to be considered, if processing of personal data is to continue legally in the US or in other non – EU countries where there is a risk of non-compliance.