Privacy Shield: the Court of Justice of the European Union invalidates the EU – USA Agreement

With judgment dated 16 July 2020, “Data Protection Commisioner v Facebook Ireland Limited, Maximilian Schrems C-311/18”, the Court of Justice of the European Union (hereinafter, the “CJEU” or the “Court”) has declared Decision No. 2016/1250 invalid and, along with it, the agreement signed between the European Union and the United States of America aimed at protecting and governing the transfer of the  personal data of European citizens to the recipient located within the US territory (the so-called “Privacy Shield”).

The decision of the Court of Justice

The Court has ascertained that any potential transfer made by US public authorities in respect of all personal data transferred to the US territory shall prevail over the limitations foreseen by the fundamental rights of the European citizens concerned (“data subjects”), which the EU regulations aim at protecting.

At present, the EU regulations of reference on the protection of personal data are included in Regulation (EU) 2016/679 (hereinafter, the “Regulation”), based on which the personal data of data subjects, if transferred to Countries outside the European Union, must be protected by equal guarantees to those provided for under EU law.

In invalidating the Privacy Shield, the CJEU states again the lawfulness of the tool consisting in the so-called Standard Contractual Clauses (“SCC – Standard Contractual Clauses”) adopted by the European Commission, but instructs the supervisory authorities of each single EU Member Country to check as well as, if necessary, to suspend and ban the transfer of personal data to Third Countries having a legal system not in compliance with the requirements included in any such Clauses.

The tools foreseen by the Regulation

The decision at issue does not set a total ban to the transfer of personal data towards the US, but imposes that the parties and the organisations making any such type of transfer identify alternative tools justifying the exchange, thus ensuring appropriate levels of protection for the data subjects.

In this respect, please note that the Regulation provides for different tools and procedures to be used in order to implement a correct transfer of data outside the European Union. In particular:

• the existence of an adequacy decision to the EU requirements on the protection of personal data;
• the adoption of Standard Contractual Clauses;
• the adoption of Binding Corporate Rules (“BCR _ Binding Corporate Rules”) by large international groups following the negotiation with the supervisory Authorities of the countries involved;
• the agreement to specific Codes of conduct or, in any event, to certification procedures, which must be concomitantly applied by the party to which the data are transferred;
• the data subject’s consent, which must be duly informed as foreseen by the Regulation itself.

◊◊◊◊

In light of the rulings of the Court of Justice with the judgment under examination, the organisations engaged in transferring the personal data of data subjects towards the USA are under an obligation to revise the procedures on which they have grounded any such transfers, by identifying alternative tools in the cases in which, up to now, the Privacy Shield has been used.

As clarified by the Court, should the Standard Contractual Clauses tool be used, it shall be necessary to identify the risks, even potential, by analysing both the organisation of the party receiving any such data and factors such as the context, the sector or the legal system of the Third Country in which the latter does business.