view all news & events

16.07.2020

The European Court of Justice invalidates the EU-US Privacy Shield: Case-by-case assessment necessary when using EU standard contractual clauses

[Translate to English:] EuGH
The European Court of Justice (CJEU) today announced its judgement in the "Schrems II" case (C-311/18) and rejected the so-called EU-US Privacy Shield. Not only many cloud services and social media platforms are affected by the decision. International companies must also rethink their internal data exchange.

The Austrian data protection expert Max Schrems had already brought down the so-called Safe Harbor Agreement between the EU and the USA. Now, in response to his claim, the CJEU has also declared the successor agreement on transatlantic data transfer, the EU-US Privacy Shield, invalid. However, the court has not invalidated the EU standard contractual clauses, which were also challenged. Nonetheless, it considers that the use of standard contractual clauses requires an additional assessment of whether there are adequately enforceable rights and effective remedies in the third country. If this is not the case, it holds that supervisory authorities may and must suspend or prohibit corresponding data transfers despite existing standard contractual clauses.

Context of the judgement

The GDPR provides the legal framework for personal data in the EU and the EEA, protecting the fundamental rights of data subjects and setting strict rules on the nature and extent of data processing. If data processing is carried out outside this protected area, additional protective measures must be taken in accordance with the provisions of the GDPR. For example, the EU Commission can classify countries as safe or declare agreements or standard contractual clauses on so-called adequacy decisions to be sufficiently safe. Such decisions are available for the EU-US Privacy Shield and also for the currently valid EU standard contractual clauses. With its judgment, the court invalidates the adequacy decision for the EU-US Privacy Shield. This means that all data transfers to the USA based solely on the EU-US Privacy Shield are inadmissible. However, many US companies also offer to conclude standard contractual clauses. These are still valid after the decision of the court, but the competent supervisory authorities can declare data transfers inadmissible and prohibit them with immediate effect despite the conclusion of standard contract clauses.

What comes next?

Both the German supervisory authorities and the authorities in the other EU countries will initially carry out their own evaluation of the judgment. It is to be expected that, as after the judgment on the invalidity of the Safe Harbor Agreement, recommendations of the authorities will be published and that the companies will also be given a certain amount of time to adapt or convert their data processing.

Permanent solutions for secure international data transfers will most likely require new international agreements, especially with the USA.

What does this imply for business practice?

Companies should now examine which data transfers are made to third countries, which of these transfers are business-critical and what options are available for ad hoc measures in the event that an authority prohibits the transfer at short notice. If data transfers to the USA are based solely on the EU-US Privacy Shield, alternative agreements must be conducted. In most cases, EU standard contractual clauses would be an option, even if these do not guarantee permanent permissibility. Providers who process data in the USA should check in particular whether the personal reference of data can be removed or limited by anonymisation or encryption measures.

Additional references

Press Release of the Court of Justice of the European Union, as of 16 July 2020

Authors

Nikolaus Bertermann

Nikolaus Bertermann

Partner

visit profile
Elisabeth Finckenstein

Dr. Elisabeth von Finckenstein

Associate

visit profile
Stefan Peintinger

Dr. Stefan Peintinger

Counsel

visit profile