24 July 2020 - Janneke Popma

Schrems II judgment: Privacy Shield invalid, what does this mean for you

Last week the Court of Justice of the EU (CJEU) issued its long awaited judgment on the transfer of personal data to the United States (Schrems II). We will discuss the practical consequences the judgment might have for your organization.

Transfer of personal data to a third country 

The transfer of personal data from the EU to a third country is only permitted under the General Data Protection Regulation (GDPR) if it does not undermine the level of protection that the GDPR offers to personal data of Europeans. The GDPR offers a number of possibilities to achieve this. Two of those were the subject of the Schrems II case:

  • transfer on the basis of an adequacy decision;
  • transfer on the basis of Standard Contractual Clauses, as provided by the European Commission.

Schrems II judgment

Privacy Shield

The EU-US Privacy Shield is an example of an adequacy decision. The Privacy Shield, which was approved by the European Commission in 2016, allowed companies to self-certify their compliance to GDPR standards and thereby provide for an “adequate level of protection” for the transfer of personal data from the European Union to the United States.

However, the CJEU considers that the Privacy Shield does not provide sufficient protection because EU citizens have no legal remedy if they have a complaint about the processing of their personal data, and because access to data held by US intelligence agencies is not limited to what is strictly necessary while this is required under the GDPR. Therefore, the CJEU has declared the Privacy Shield to be invalid. This means that organizations in the EU can no longer transfer personal data to the United States using the Privacy Shield.

This is the second time that the CJEU has put a stop to a basis for the transfer of personal data to the United States. In 2015, the Court declared the so-called “Safe Harbor” decision invalid. The Privacy Shield was intended as a solution, but is also insufficient according to the CJEU.

Standard Contractual Clauses (SCCs)

The Court found that on the basis of SCCs an adequate level of protection for the transfer of personal data can be guaranteed. However, the transfer of personal data may be suspended or prohibited if the SCC’s are violated or impossible to comply with. The entity that sends the personal data to a third country must check on a case-by-case basis whether the rights of data subjects are guaranteed under the GDPR.

What’s next?

As a result of the Court’s judgment, organizations can no longer transfer personal data to the United States if the transfer is based on the Privacy Shield. Therefore, if your organization transfers personal information to the United States, you must take action and look for an alternative basis for the transfer. SCCs remain valid, so they could serve as an alternative solution. However SCCs can only be used if an equivalent level of protection can be ensured in practice. If your organization wants to invoke the standard provisions, you will always have to assess whether the rights of data subjects are guaranteed under the GDPR. Attention is therefore required.

The European Data Protection Board (EDPB) will shortly provide instructions on additional measures that organizations can include in model contracts. 

If you should have any further questions, do not hesitate to contact us.