The Court of Justice of the European Union (“CJEU“) issued its judgment in case C-311/18 (also known as “Schrems II” case) and invalidated the Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield.
Also, the CJEU held that the Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries is valid, so that the Standard Contractual Clauses (“SCCs“) may still be considered as adequate safeguards for EU-US data transfers.
SCCs use shall have to be assessed on a case-by-case basis in particular considering the “relevant aspects of the legal system of the [relevant recipient] country”. The more so as the data exporter based in the EU sending data out of the EU under the SCCs is responsible for providing appropriate safeguards, as well as for the assessments and potentially implementing “supplementary measures“.
However, the Decision 2010/87 validity does not prevent the Data Protection Authorities (“DPA”) from suspending or prohibiting a personal data transfer based on SCCs. In this context, the competent DPA is required, under Article 58(2)(f) and (j) of the GDPR, to suspend or prohibit such data transfer, if, in its view and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law cannot be ensured by other means, where the controller or a processor has not itself suspended or put an end to the transfer.
Regarding the level of protection required in respect of such data transfer, CJEU holds that the requirements laid down for such purposes by the GDPR concerning appropriate safeguards, enforceable rights and effective legal remedies must be interpreted as meaning that data subjects whose personal data are transferred to a third country pursuant to SCCs must be afforded a level of protection essentially equivalent to that guaranteed within the EU by the GDPR. Thus, CJEU specifies that the assessment of such level of protection must take into consideration both the contractual clauses agreed between the data exporter established in the EU and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the data transferred, the relevant aspects of the legal system of that third country.
The European Data Protection Board (“EDPB“) statement on the CJEU judgement in C-311/18 case:
- welcomes the CJEU’s judgment as highlighting the fundamental right to privacy in the context personal data transfer to third countries and considers it a great importance decision;
- points out that the EU and the US should achieve a complete and effective framework guaranteeing that the level of protection granted to personal data in the US is essentially equivalent to that guaranteed within the EU, in line with the CJEU’s judgment;
- intends to continue playing a constructive part in securing a transatlantic transfer of personal data that benefits EEA citizens and organizations and stands ready to provide the European Commission with assistance and guidance to help it build, together with the US, a new framework that fully complies with EU data protection law;
- looking further into the potential additional measures to those included in the SCCs in order to allow SCCs to provide an essentially equivalent level of protection;
- takes note of the data exporter and data importer obligations, as well as of the DPAs duties to suspend or prohibit a transfer of data to a third country pursuant to SCCs, if the SCCs are not or cannot be complied with in that third country, and the protection of the data transferred cannot be ensured by other means.
Key conclusions for data controllers
- Carefully assessing their international data flows based on the EU-US Privacy Shield and on the SCCs;
- If relying on EU-US Privacy Shield, consider suspending or temporary ceasing the data transfers based on the EU-US Privacy Shield;
- If relying on SCCs, follow the level of data protection provided in the third country and, where conflicts with the provisions of the SCCs arise, consider suspending such data exports, at least until the data protection measures are checked;
- Considering and implementing alternative safeguards (g., Binding Corporate Rules);
- Follow the further development of new safeguards as announced by the EU Commission.