The ECJ’s Schrems II decision invalidates the Privacy Shield

The Court of Justice of the European Union (“CJEU”), in the context of the case “C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems” (also known as “Schrems II ” case), has annulled the validity of the “Privacy Shield” between the EU and the USA for the transfer of data between the EU and the USA, i.e. the use of American systems and services to process European personal data.

In this case, the guarantees provided by both the “Standard Contract Clauses” and the “Privacy Shield”, two legal ways until now to process data of European citizens in the United States (think of Google Cloud USA, Amazon Web Services USA, Slack, MailChimp, Facebook, etc.), were again questioned, as was the case with the “Safe Harbor” back in 2015. It was claimed that both instruments entail a limitation of fundamental rights when personal data are transferred to the US. The CJEU has decided to invalidate the “Privacy Shield” while maintaining the validity of the Standard Clauses.

This implies that data transfers from the EU to US companies based on the Privacy Shield system are no longer legal, as the Privacy Shield protection is no longer valid. Therefore, any European data “exporter” using US based services must adopt other appropriate legal guarantees for this processing, such as signing the EU Commission’s “Standard Contract Clauses” or requesting authorisation from the supervisory authority. Several American companies have already offered to sign these contractual clauses, and now – if the Privacy Shield is not replaced again – the others will have to do so. In addition, it will be necessary to make the appropriate amendments to the privacy policies and to carry out further internal risk analyses, in order to avoid any infringement of the RGPD and subsequent sanctions.

In 2015, the data protection agencies offered a friendly deadline (3 months)  to remedy the situation. It remains to be seen whether they will do so again. If not, it will be a “mad rush” to get these contracts signed or other measures in place if European companies want to continue using American services… or just move the data to EU based providers (whether they are ultimately US, like Google Ireland, or core EU players like Hertzner or OVH in the hosting space).

Since Across Legal has been working with you on the data protection matters, we can help if you want support to analyse the situation and signing these standard contracts in the short term, or look for other solutions (such as moving the data and services to servers in the EU).

Hope this is of use, and best regards (and happy summer!)

Related Posts