On July 16, 2020, the Court of Justice of the European Union (the “CJEU”) invalidated the EU-U.S. Privacy Shield Framework as part of its judgment in the Schrems II case (case C-311/18). In its judgment, the CJEU concluded that the Standard Contractual Clauses (the “SCCs”) issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid, but it struck down the Privacy Shield framework on the basis that the limitations on U.S. public authorities’ access to EU personal data were not sufficient for the level of protection in the U.S. to be considered equivalent to that ensured in the EU, and that the framework does not grant EU individuals actionable rights before a body offering guarantees that are substantially equivalent to those required under EU law.
In the aftermath of this unexpected ruling, organizations in the EU and U.S. that rely on Privacy Shield certification for transfers of EU personal data are awaiting guidance from EU data protection regulators, who are yet to adopt a consistent approach to these questions. In the UK, the Information Commissioner’s Office (“ICO”) has stated that it stands ready to support organizations and work to ensure that global data flows continue. Its guidance on international transfers has been updated to advise those currently relying on the Privacy Shield to continue to do so for their existing transfers, though organizations are advised not to start using it at this time. In Ireland, however, the Data Protection Commissioner highlighted the ongoing issues the ruling presented, not only for the Privacy Shield framework, but also for the SCCs as regards transfers of personal data to the U.S. It stated that the court had “ruled that the SCCs transfer mechanism used to transfer data to countries worldwide is, in principle, valid, although it is clear that, in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable. This is an issue that will require further and careful examination, not least because assessments will need to be made on a case by case basis.”
In Germany, a more stringent approach has been adopted in some regions. In Berlin, the data protection commissioner Maja Smoltczyk has called on Berlin-based companies to return EU data currently stored in the U.S. back to the EU, stating, “[t]he times when personal data is transferred to the US for convenience or cost savings are over after this judgment. Now is the time for Europe’s digital independence.”
The European Data Protection Supervisor (“EDPS”) has stated that it will continue to strive for a coherent approach among supervisory authorities regarding international transfers. It is analyzing the consequences of the judgment on the contracts concluded by EU institutions, bodies, offices and agencies.
The EDPS’s message on consistency was echoed by the European Data Protection Board (“EDPB”) in its own statement, which confirmed that the EDPB will “assess the judgment in more detail and provide further clarification for stakeholders and guidance on the use of instruments for the transfer of personal data to third countries pursuant to the judgment.” The EDPB also commented that it stands ready to provide the European Commission with assistance and guidance to help it build, with the U.S., a new framework that fully complies with EU data protection law.
UPDATE: The EDPB has published a set of FAQs to assist organizations relying on the Privacy Shield Framework and SCCs for transfers from the EU to the U.S. in the wake of the Schrems II judgment. In addition, and in line with these FAQs, the UK’s ICO is no longer recommending that those currently relying on the Privacy Shield Framework continue to do so for the time being. Instead, it has re-iterated that the Privacy Shield is no longer a valid way to transfer personal data outside of the European Economic Area.