CJEU invalidates EU-US Privacy Shield, Standard Contractual Clauses remain valid

The Court of Justice of the EU (CJEU) issued a judgement in the case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (known as the ‘Schrems II case’) stating that it invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield and considers the Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries as valid.

In this landmark decision, the CJEU dealt with adequate levels of protection of personal data under the General Data Protection Regulation (GDPR) when transferring personal data between companies outside the EU.

The CJEU struck down the EU-US Privacy Shield, a major agreement between the EU and the USA on the transfer of data between companies, as it fails to protect rights to privacy, data protection, and access to remedy of EU citizens. The CJEU stated that the level of protection in third countries must be essentially equivalent to that guaranteed within the EU by the GDPR for international transfers. According to the BBC, ‘the EU-US Privacy Shield system “underpins transatlantic digital trade” for more than 5,000 companies’.

The CJEU confirmed the validity of Standard Contractual Clauses (SCC) which enable data transfers between EU and non-EU data controllers and processors. According to the CJEU, the SCC are of a contractual nature and therefore can not bind the public authorities in non-EU countries. The SCC requires that the level of data protection of natural persons, guaranteed by the regulations of GDPR and the EU Charter of Fundamental Rights, is upheld. The CJEU also stated that SCC adopted by the European Commission will need to be reformed to incorporate more safeguards.

In his first comment, Maximilian Schrems, a party to the case stated, ‘I am very happy about the judgment. It seems the Court has followed us in all aspects. This is a total blow to the Irish DPC and Facebook. It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market.’

Vice President of the European Commission for values and transparency Vera Jourova and Commissioner Reynders highlighted the commitment of the EU to safeguard personal data when it travels outside the EU, and that the right of EU citizens to data protection is absolutely fundamental.

US Secretary of Commerce Wilbur Ross issued a statement  expressing deep disappointment with the CJEU’s judgement, as well as the intent to remain in close contact with the European Commission and European Data Protection Board (EDPB) on this matter.