Is the USA now closed to EU personal data transfers?
The long-awaited judgment by the Court of Justice of the EU (CJEU) in the Facebook/Schrems 2 case was handed down on the 16th July 2020. This judgment was given in reply to a series of questions that the Irish High Court asked the CJEU to answer, by way of the preliminary reference mechanism, regarding transfers of EU citizens personal data to third countries for commercial purposes.
Two of the key questions answered by the court was firstly, whether Facebook’s transfer of personal data using the EU-U.S. Privacy Shield (which is also used by thousands of other participating companies) was valid and secondly, the use of standard contractual clauses (SCC) to countries outside the EU, are also valid in accordance with the GDPR.
In a very detailed judgment, which can be found here, the CJEU answered these questions (and more), which I will attempt to briefly summarise for you now.
The court found that the Privacy Shield is not a valid method of data transfer. In that it did not offer the same protection by way of appropriate safeguards, to EU citizens data in the USA, that would apply in the EU. The court pointed out the access that the US government has, through its various security agencies, to all personal data and that such access was not proportionate or strictly necessary (thank you Mr Snowden). Additionally, the redress provisions of the Privacy Shield through the ombudsperson mechanism does not provide EU data subjects with any cause of action before a body which offers guarantees of redress, was held to be inadequate.
The CJEU however, did uphold the validity of Standard Contractual Clauses (SCC), but and it’s a big but, there must be proper protections in place in the third country to which EU data is transferred, specifically with regard to access by public authorities and judicial redress. So one of the big takeaways for data controllers is that they must, on a case by case basis, decide if the proper safeguards are actually in place to allow the transfers and what additional safeguards may be needed to ensure the data is safe from government interference, such as possible encryption, etc. It can no longer be a just sign the paperwork and put it in a draw exercise. The same can be said of the company receiving the data in the third country, can they uphold their own laws and still comply with their obligations under the SCC.
This all has major implications going forward for the Privacy Shield (dead and buried?) and the use of SCC’s in relation to data transfers to USA, other third countries and additionally, to the UK after the Brexit transition period expires and they are outside the EU for data transfers.
The Irish Data protection commission, Helen Dixon welcomed the clarity the judgment brings stating that
" for reasons associated with the structure of the legal system in operation in the United States, EU-US data transfers were inherently problematic”
So, it is back to the drawing board for the US and EU authorities, albeit with the guidance outlined in the judgment.
-----------