Schrems II – effects of the judgment issued by CJEU (changed rules of personal data transfer to the US)
Last week, the Court of Justice of the European Union (the “CJEU”) invalidated the so called “Privacy Shield” being the legal basis for data transfer from the EU Member States to the US. Consequently, each entity which transfer personal data to the US (e.g. via tools used by its American counterparties) is obliged to search for another legal basis for this operation, based on the GDPR. The basis may take the form of Standard Contractual Clauses, i.e. an agreement to be concluded with the data importer in the US.
The CJEU’s judgment was issued in response to a complaint filed by an Austrian lawyer, Maximilian Schrems, who, as a user of the US social network “Facebook”, opposed having his personal data transferred to the US.
Privacy Shield incompliant with the GDPR
The reason for invalidation of the Privacy Shield was the US law which authorizes the US intelligence services, including the FBI and the National Security Agency (NSA) to collect data “en masse” regardless of the purpose of their processing. Their impact applies to each data processed within a telecommunications company which uses the internet infrastructure, i.e. a system of cables, switches and routers, as well as data which is in transit to the US by access to underwater cables on the floor of the Atlantic. Therefore, the CJEU held that the United States of America do not ensure adequate (same as the EU) level of protection.
Standard Contractual Clauses
Pursuant to the GDPR, personal data transfer to third countries is possible under one of several bases specified in the law. Invalidation of the Privacy Shield by the CJEU rendered one of the bases no longer usable. Therefore, all companies which transfer data in any way whatsoever to an entity based in the US (including subcontractors, processors, parent companies, or to other entities within the internal corporate structure) should strive to establish another legal basis for transfer as soon as possible, in particular by conclusion of standard contractual clauses (i.e. an agreement of the wording prepared by the European Commission) in order to establish the principles of accurate processing and enforceability of the rights of natural persons.
The gap which arose as a result of the CJEU’s judgment is now a global problem, because the transfer of data between the EU and the US is enormous. We believe that, until the European Commission takes its position in respect of the judgment or issues a new decision, it is necessary to ensure that Standard Contractual Clauses are concluded with data importers to provide a legal basis for data transfer.
If you need assistance in conclusion of this type of agreements or in negotiations with data recipients, we are at you service.
For more: CJEU Judgment of 16 July 2020 C-311/18