The Court of Justice declared the EU-US Privacy Shield unlawful in its judgement of 16 July 2020. According to the Court, the Privacy Shield does not provide sufficient guarantees that the transfer of personal data to the US takes place in accordance with the EU Data Protection Regulation (GDPR).
It was more specifically in the Schrems II case that the Court of Justice ruled on the validity of the Privacy Shield between the EU and the US.
1. What is the EU-US Privacy Shield?
The EU-US Privacy Shield was created in 2016 (see our article on this subject) to enable the transfer of personal data outside the European Union to the United States.
It was a legal framework that European and US companies could join to allow a valid and adequate transfer of personal data across the Atlantic Ocean, in accordance with the EU data protection rules.
This framework provides for a number of obligations and commitments that affiliated companies had to respect. It could be assumed that companies, once they joined the Privacy Shield, could guarantee a sufficient (adequate) level of protection with regard to such transfers of personal data.
However, this approach was not accepted by the Court of Justice. Indeed, in its judgment of 16 July 2020, the Court concluded that the Privacy Shield, as it exists today, does not offer sufficient guarantees compared to the applicable EU privacy rules (GDPR).
2. Why did the Court of Justice decide that the EU-US privacy shield is unlawful?
The Court of Justice is concerned about the access by US government authorities to personal data transferred from Europe to the US.
After all, the GDPR requires that every international transfer provides a (nearly) equal level of protection with regard to the data being processed. This level of protection is assessed on the basis of the contractual agreements concluded in this respect (such as the “Standard Contractual Clauses”) but also on the basis of the legislation that is applicable to the committed companies.
And this is precisely the issue.
The Court estimates that the US government is not bound by the obligations and commitments with which the members of the Privacy Shield must comply. These companies are and remain bound by the far-reaching access that the US government enforces on such data.
As a result, no adequate level of protection is provided for and therefore this transfer violates the GDPR.
According to the Court of Justice, the framework provided by the Privacy Shield is therefore unlawful.
The Court of Justice states that the "Standard Contractual Clauses" are lawful in principle, but in practice they can hardly be used for transfers to the US, since these will also be governed by US law, that takes priority.
It goes without saying that this judgement constitutes a serious obstacle to the exchange of personal data with the United States, which has an even bigger impact given the numerous American cloud services (Office, Amazon, Dropbox, Facebook...).
As a result, the use of these services by European companies is currently fundamentally illegal.
At the moment, it is not clear how to proceed since this decision undermines both the Privacy Shield, the Standard Contractual Clauses and the binding corporate rules. A period of uncertainty therefore arises in this respect.
Since no transition period is foreseen, data transfers under the Privacy Shield are immediately illegal and must be stopped immediately.
In many cases, the contractual relationship between the parties will have to include a clause that no transfers to the United States are allowed. However, this is difficult for US companies given the far-reaching power of the US government to request data stored outside the US on the basis of the "Cloud Act".
According to Article 49 of the GDPR, transfers to states that cannot provide an adequate level of protection are still possible in a number of situations, such as, for example, reasons of important public interest and in the case of explicit and informed consent of the data subjects.
However, these possibilities are limited and therefore difficult to use in practice.
In any case, we will keep you informed on this matter.
If you would like more information or assistance, please do not hesitate to contact us on +32 (0)2 747 40 07 or via firstname.lastname@example.org.