The Court annulled the scheme through which transfers of personal data from the EU to the US take place, however companies can still use standard contractual clauses.
Privacy Shield, the successor of Safe Harbor: Until now, transfers of the EU citizen’s personal data to the US have taken place under the Privacy Shield scheme, which is largely a self-certification scheme through which US businesses commit to adopting adequate safeguards in the treatment of personal data. The scheme succeeded Safe Harbor, which was struck down by the European Court of Justice in 2015 for not providing sufficient safeguards. The new case is a follow-up to the previous one brought up by privacy activist Max Schrems, who challenged the validity of transfers of his Facebook data from Ireland to the US, on the basis that the US do not offer an adequate level of personal data protection. Once Safe Harbour was ruled invalid, the Irish data protection authority asked Schrems to reformulate his complaint.
The ECJ found Privacy Shield to be an empty shell: On 16 July 2020, the ECJ ruled that the standard clauses approved by EC in 2010, through which Facebook transfers EU personal data to the US, are valid because they include effective mechanisms to ensure compliance with the level of protection established in EU law. With regard to Privacy Shield, the Court found that it does not protect EU citizens from provisions in US law which allow public authorities to run extensive surveillance programs. In practice, EU citizens can be targeted by these surveillance programs, and do not have actionable rights before the courts against US authorities. For example, the ombudsperson mechanism set out in Privacy Shield, which is meant to grant EU citizens adequate redress, does not offer guarantees substantially equivalent to EU law.
What now then? The decision will cause significant uncertainty with regard to EU-US data transfers. While the decision on standard contractual clauses has not been annulled, this does not mean that clauses are automatically valid. Companies using those clauses will need to first assess the level of protection in the country of destination – something that can no longer be considered as automatic for the US.