Schrems, an Austrian national and privacy activist, started a complaint with the Irish DPA in 2013 in relation to Facebook Ireland transferring his personal data to the US for processing. Schrems was not satisfied that his personal data was adequately protected, due to the wide reaching surveillance powers of the US public authorities.
In 2015 the CJEU declared in Schrems’ favour, that EU-US Safe Harbor did not afford adequate protection (Schrems I).
The Irish Data Protection Commission then commenced further proceedings in 2016, to obtain clarity in respect of the Standard Contractual Clauses that Facebook Ireland largely sought to rely for its transfer of personal data to the US (Schrems II).
After the CJEU held Safe Harbor to be an invalid transfer mechanism, in 2016 the European Commission approved Privacy Shield as an alternative, replacement mechanism for transfers of personal data from the EU to the US.
The CJEU have now overruled this in the Schrems II decision.
On the basis that interference by US public authority surveillance is not proportionate, and EU data subjects do not have adequate means of enforcing their rights in the US, the CJEU held that certification with Privacy Shield is no longer an appropriate safeguard for the transfer of personal data to the US.
The CJEU have ruled that Standard Contractual Clauses remain a valid transfer mechanism. However, the controller seeking to rely on the Standard Contractual Clauses, is required to satisfy itself that the personal data being transferred will be afforded an equivalent level of protection as it receives within the EU.
It is not enough to simply populate and sign the Standard Contractual Clauses – controllers need to go much further and conduct in-depth due diligence in relation to both the security standards adopted by the international data recipient, and the privacy laws in place in the third country where the recipient is based.
The CJEU’s ruling in respect of privacy shield makes it clear that the privacy regime in the US does not afford EU citizens with the level of protection required under the GDPR. This causes difficulty when looking at alternative transfer mechanisms to implement and draws into questions whether Standard Contractual Clauses can be appropriate, where the US public authorities continue to have the same surveillance rights in respect of the imported personal data.
We are expecting to see the European Commission release an updated version of the Standard Contractual Clauses in the near future and will update once these become available. However, this will not change the need for controllers to evaluate the adequacy of the third country and third party to which it is transferring personal data - the decision is clear that data controllers are responsible for where and to whom personal data is transferred.
If you require any assistance in relation to your international data transfers, please contact the Ashfords Data Protection Team.
Data protection webinar: privacy considerations for workplace monitoring
Assessing the impact of the Clearview AI decision - how clear is the future of the UK’s AI data protection law?
An evening with expedition leader and TEDx Bristol speaker, Oli France
We produce a range of insights and publications to help keep our clients up-to-date with legal and sector developments.
Sign up