The Court of Justice of the European Union (CJEU) has invalidated the EU-US Privacy Shield Framework and found that Standard Contractual Clauses (SCC) for data transfers between EU and non-EU countries are valid. This was the outcome of the CJEU decision C-311/18 – Facebook Ireland and Schrems issued on July 16th 2020. What does this mean for the organizations relying on Privacy Shield to transfer personal data to the US?There are a lot of uncertainties right now, but one is certain - all those organizations should find alternative safeguard for such transfers. It is yet to be seen how all the EU Data Protection Authorities (DPAs) will react. The UK Information Commissioner’s Office (ICO) has published the following on its website: “We are currently reviewing our Privacy Shield and Standard Contractual Clauses (SCCs) guidance after the judgment issued by the European Court of Justice on Thursday 16 July 2020. If you are currently using Privacy Shield please continue to do so until new guidance becomes available. Please do not start to use Privacy Shield during this period.” It seems that organizations will be told to find other safeguards to rely on, when transferring personal data to the US. But, what happened to the SCC? Even though they are not invalidated, the CJEU has introduced new obligations on controllers. In paragraph 134, the CJEU has stated:” In that regard, as the Advocate General stated in point 126 of his Opinion, the contractual mechanism provided for in Article 46(2)(c) of the GDPR is based on the responsibility of the controller or his or her subcontractor established in the European Union and, in the alternative, of the competent supervisory authority. It is therefore, above all, for that controller or processor to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses.” Furthermore, paragraph 142 contains similar obligation:” It follows that a controller established in the European Union and the recipient of personal data are required to verify, prior to any transfer, whether the level of protection required by EU law is respected in the third country concerned. The recipient is, where appropriate,under an obligation, under Clause 5(b), to inform the controller of any inability to comply with those clauses, the latter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract.” Does this mean that for every transfer organizations will have to do the “mini adequacy assessment” in order to confirm whether the laws of the third country ensure adequate protection under the EU laws? If the outcome of such assessment is negative, it seems that controllers will not be able to use SCC to cover transfers of personal data to those countries. Until regulators and the European Data Protection Board issue new guidelines, the safest option would be to restrict flows of data to EU countries and countries deemed adequate by the European Commission. But, is that feasible?
Subscribe to our newsletter to stay on top of the most relevant news from the privacy world. We might personalize the newsletter based on your interests. Occasionally, these emails may contain commercial offers from us.
You may unsubscribe by clicking on the unsubscribe link at the bottom of the marketing email or by writing to us.
We use cookies, but we promise we will not use them for advertising or similar purposes. Right now, we use cookies to ensure that our website is secure enough and we don't display this banner every time you visit us.
You can find more information about cookies we use in our Cookie Policy.
