EU Takes an Axe to Privacy Shield and Warns on Standard Data Transfer Clauses

Jeremy Morton Jeremy Morton

Jeremy Morton

Partner at Temple Bright LLP

Published Jul 16, 2020
+ Follow

The European Court of Justice has this morning declared the EU-US Privacy Shield invalid as a basis for lawful transfer of personal data from the EU. Among other deficiencies, the Court noted widespread surveillance in the United States, and that the role of the Privacy Shield Ombudsperson does not allow sufficient redress by individuals on an independent basis.

The Court’s ruling, in the ‘Schrems/Facebook’ complaint originating in Ireland, also provides that standard contractual clauses for transfer outside the EU cannot be relied on without verifying adequate protection for the data in the recipient country - including those aspects set out at Article 45(2) GDPR. Such clauses remain a valid option, but there is serious uncertainty about when the option can be used, and what additional measures may be necessary in specific cases.

Mr Schrems had objected back in 2013, pre-GDPR, to Facebook transferring his data to the US. The EU Commission had already, as a result, decided in 2015 that the ‘Safe Harbour’ for data transfer to the US was invalid. As a result, the EU Commission approved the EU-US ‘Privacy Shield’. In 2016 the Commission also issued a preliminary draft decision on standard contractual clauses, to the effect that personal data would not be adequately protected in the US even if transferred under such clauses, since the clauses are not binding on the government in the recipient country.

Despite being a pre-GDPR reference, today's ruling applies to interpretation of the equivalent provisions of the GDPR. Businesses transferring personal data from the EU may increasingly focus on the derogations in Article 49, allowing transfers in situations such as contractual necessity or explicit consent (though also very difficult to use in practice) - unless the recipient country has been officially flagged as adequate (a status currently confined to 12 countries and yet to include the United Kingdom). We should now also see publication of updated standard clauses that reflect the post-GDPR world.

#GDPR #privacyshield #Schrems #Facebook

https://bit.ly/2B2UFo8

To view or add a comment, sign in

More articles by this author

See all

Insights from the community

Explore topics