The end of Privacy Shield and new requirements for the EUROPEAN Commission's standard contracts

Compliance
17.7.2020

The European Court of Justice has ruled that Privacy Shield cannot be used as a basis for transferring data to the US, but the EU's standard contracts have won the day

Many of the tech suppliers used by European companies are based in the US and subject to US legislation and US authorities. Many of these tech suppliers are data processors within the meaning of the General Data Protection Regulation, as they receive personal data in connection with the provision of their services. This is a transfer of personal data from the EU to the US. This is only legal if you can establish a so-called transfer basis. Two of the most commonly used transfer bases are Privacy Shield and the EU Commission's standard contract.

The level of protection for data subjects is not as high in the US as it is in the EU, particularly because the US authorities have very extensive opportunities to gain access to personal data processed by US companies, regardless of whether it is personal data about US citizens or EU citizens. Thus, there is a risk that EU citizens' personal data transferred to the US is processed in situations that are not acceptable to EU citizens.

An EU citizen, Max Schrems, had complained to the Irish Data Protection Authority that Facebook in Ireland transferred his personal data to the parent company Facebook in the US. Max Schrems did not believe that the agreement between the EU and the US on the so-called Privacy Shield provided him with sufficient protection for his personal data. Nor did he believe that the EU Commission's standard contract was a sufficient basis for transfer.

The Irish Data Protection Authority brought the case before the Irish courts, which chose to ask the European Court of Justice a number of questions about the interpretation of EU rules.

The European Court of Justice concluded that the "Privacy Shield Decision" is invalid. Therefore, personal data can no longer be transferred to the US using the Privacy Shield.

However, the CJEU also ruled that the EU Commission's standard contracts remain valid. However, a number of questions have been raised about the standard contracts, which essentially means that the content of the standard contracts must be followed and enforced. If this is not possible due to the rules of the processor's home country (which in this case was the US), the transfer of personal data must cease.

It will therefore be crucial for all companies in the EU that transfer personal data to the US under the Privacy Shield to find a new transfer basis. The obvious choice is the EU Commission's standard contractual clauses. However, if this is chosen, it is even more important than before to ensure that the recipients of the personal data in the US, the data processor, can actually comply with the standard contracts. This issue has not yet been clarified.

The Danish Data Protection Agency has stated that in the European Data Protection Board, together with the other European supervisory authorities, it will in the near future conduct a more detailed analysis of the judgment and its significance for the transfer of personal data to third countries and international organizations, including the impact of the judgment on the other transfer bases.

Regardless of what announcement comes from the authorities, companies should already now clarify whether they transfer personal data to third countries and, if so, which transfer basis they use when using cloud solutions and when using personal data in their marketing.

CO:PLAY has established a working group to analyze the impact of the Schrems II ruling. You can always contact the below for specific advice on what the change in the transfer basis to third countries means for your business.

For more information contact us: