In a judgment, the European Court of Justice has ruled that Privacy Shield cannot be used as a transfer basis for data to the UNITED States, but the EU's standard contracts have cleared free.
Many tech suppliers used by European companies are based in the United States and subject to US law and US authorities. Many tech suppliers in question are data processors in the sense of the Data Protection Regulation, as they have personal data transferred in connection with the provision of their services. This results in a transfer of personal data from the EU to the US. This is only legal if a transfer basis can be established. Two of the most commonly used transfer bases are Privacy Shield and the EUROPEAN Commission's standard contract.
The level of protection of registered persons is not as high in the United States as in the European Union. This is mainly because the US authorities have extensive opportunities to access the personal data that US companies process, whether it is the personal data of US citizens or EU citizens. As a result, there is a risk that EU citizens' data transferred to the UNITED States will be processed in situations that are not acceptable to EU citizens.
One EU citizen, Max Schrems, had complained to the Irish Data Protection Agency that Facebook in Ireland transferred his data to parent company Facebook in the U.S. Max Schrems considered that the agreement reached between the EU and the US on the so-called Privacy Shield did not provide him with adequate protection for his personal data. Nor did he believe that the EU Commission's standard contract was sufficient to transfer basis.
The Irish Data Protection Agency took the case to the Irish courts, which chose to put a number of questions to the European Court of Justice to interpret EU rules.
The European Court of Justice ruled that the "Privacy Shield decision" is invalid. Therefore, personal data can no longer be transferred to the United States using Privacy-Shield.
But the European Court of Justice also ruled that the EU Commission's standard contracts remain valid. However, several questions are raised about the legal agreements, which are essential that the content of the standard contracts must be followed and enforced. If this is not possible due to the data processor's home country (which in the specific case was the United States), the transfer of personal data must cease.
Therefore, it will be crucial for all companies in the EU to transfer data to the US based on Privacy Shield to find a new transfer basis. The obvious choice is the European Commission's standard contracts. If this is chosen, it is even more necessary than in the past to ensure that the recipients of personal data in the United States, the data processor, have the opportunity to comply with the standard contracts. This issue has not yet been clarified.
The Danish Data Protection Agency has indicated that in the future, together with the other European supervisory authorities, it will carry out a detailed analysis of the judgment and its impact on the transfer of personal data to third countries and international organisations. Including the effect of the judgement on the other transfer bases.
Regardless of the announcement made by the authorities, you as a company should already clarify whether you are transferring personal data to a third country and, if so, what transfer bases you use in connection with the use of cloud solutions, as well as using personal data in your marketing.
CO:PLAY has set up a working group to analyse the impact of the Schrems II decision. You can always contact the following for specific advice on what the change in the transfer basis to third countries means for your business.
For more information please contact:
Heidi Højmark Helveg - hhh@coplay.law (+45 30 74 2900)
Niels Dahl-Nielsen - ndn@coplay.law (+45 4030 9749