Today, the Court of Justice of the European Union delivered a landmark judgement with significant practical impact for companies transferring personal data outside the European Economic Area to the United States. The Court of Justice confirmed the validity of the Standard Contractual Clauses for transfer of personal data between a controller in the EU and a processor in a third country (e.g., the US) adopted by the European Commission in Decision 2010/87/EU. The Court has, however, invalidated European Commission Decision (EU) 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield.
The dispute stems from the proceedings initiated by Mr Schrems, an Austrian Facebook user, who has lodged a complaint with the Irish supervisory authority responsible for monitoring the application of the provisions relating to the protection of personal data. According to Mr Schrems, the law of United States does not offer sufficient protection against public authorities surveillance of the data transferred from Facebook Ireland, the Irish subsidiary of Facebook Inc., to the servers located in the United States. This dispute gave rise to a judgement by the Court of Justice, on 6 October 2015, which declared the Safe Harbour mechanism (the predecessor of the EU-US Privacy Shield) invalid.
In his new complaint to the Irish supervisory authority, Mr Schrems argued that the Standard Contractual Clauses cannot ensure an adequate level of protection for EU data subjects and challenged the validity of underlying Commission Decision 2010/87. In addition, he claimed that there are no remedies provided that would allow the data subjects to rely on their rights to respect for private life and to protection of personal data.
As part of the subsequent judicial procedure in Ireland, the Irish High Court decided to refer 11 questions to the Court of Justice questioning, among other, the level of protection of personal data transferred to third countries on the basis of Standard Contractual Clauses, the validity of Decision 2010/87 and the validity of the European Commission Decision establishing the EU-US Privacy Shield.
On 19 December 2019, Advocate General (AG) Henrik Saugmandsgaard Øe delivered an Opinion proposing that the Court of Justice should not invalidate Decision 2010/87. According to the AG, the fact that third country authorities are not bound by Standard Contractual Clauses does not in itself render them invalid and that sufficiently sound and effective mechanisms are established to ensure that transfers are suspended or prohibited when the Standard Contractual Clauses are breached or impossible to honour.
The Judgment of the Court of Justice
The Court of Justice followed AG Opinion and held that the validity of the Standard Contractual Clauses is not undermined by the fact that these Clauses are not binding for the competent authorities in the third countries to which personal data is transferred. According to the Court, the Standard Contractual Clauses provide effective mechanisms to both ensure compliance with the GDPR and to suspend or prohibit transfers in case of breach or impossibility to comply with the Clauses.
The Court also highlighted that the supervisory data protection authorities of the EU Member States must suspend or prohibit transfers of personal data to third countries which do not offer an adequate level of protection of personal data if the Standard Contractual Clauses cannot be complied with in that county and the protection of the transferred personal data cannot be ensured by other means. In particular, the authorities must intervene if the controllers established in the EU has not themselves suspended or discontinue such transfers.
The Court has, however, invalidated the EU-US Privacy Shield. The invalidation is based on the finding that this mechanism is founded on a principle that the requirements of US national security, public interest and law enforcement have primacy over the fundamental rights of the individuals whose personal data is transferred to the US. The Court found that the resulting limitations on the protection of this personal data and its use by the authorities in the US, including use for surveillance which is not limited to what is strictly necessary, cannot ensure compliance with the requirements of the GDPR. The Court also held that the EU-US Privacy Shield does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law. Finally, according to the Court, the Ombudsperson established by the EU-US Privacy Shield lacks independence and power to adopt decisions that are binding on the US intelligence services.
The judgment of the Court has significant practical implications for companies transferring personal data to the US to entities certified under the EU-US Privacy Shield. Companies that have relied until now on this mechanism would need to consider immediately alternative methods for transfer of personal data, including the use of the Standard Contractual Clauses.