Google scores win to reverse order from French privacy regulator CNIL that Google apply the “right to erasure” globally.
On Thursday 16 July, the CJEU declared Privacy Shield invalid with immediate effect, i.e. the transfer mechanism introduced in 2016 to replace the EU-U.S. Safe Harbor agreement, which itself was invalidated by the CJEU in 2015.
This will come as a blow to many organisations that rely on Privacy Shield to facilitate free flows of personal data from the EU to the U.S.
While Privacy Shield has been struck down, the CJEU has confirmed that SCCs will remain effective, subject to a number of considerations.
The EU General Data Protection Regulation 2016/679 (GDPR) restricts transfers of personal data to which the GDPR applies from the EU to “third countries” (i.e. those which have not been granted “adequacy” status by the European Commission) unless there is in place appropriate “safeguards” to protect that data and to provide enforceable rights and effective legal remedies to individuals whose data is being exported.
Until today’s ruling, Privacy Shield constituted one of those approved safeguards.
Where a U.S. data importer certifies under the Privacy Shield scheme, they are essentially representing to the U.S. government that they will process the data they receive from the EU in line with EU standards, thus permitting the data to flow, from an EU perspective.
The CJEU’s decision was predicated primarily on the level of access that U.S. authorities have to data transferred from the EU to the U.S. for national security, public interest, and law enforcement purposes through surveillance programmes under the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333.
In summary, the CJEU considered that U.S. law does not provide EU citizens with effective judicial protection against such access. In particular, the Privacy Shield Ombudsperson’s (i.e. the person trusted with overseeing that the Privacy Shield scheme was not abused) independence from the U.S. government was called into question. The CJEU found that the Privacy Shield Ombudsperson did not have the power to adopt decisions that are binding on U.S. intelligence services.
Whilst the SCCs will remain valid, the CJEU made clear that EU exporters of personal data must take into account the legal system of the third country to which the personal data is being transferred in order to objectively assess whether the data is adequately protected, and if the individuals whose data is being exported have enforceable rights and remedies.
The importing entity has to inform the EU data exporter of any inability to comply with the SCCs, and the EU exporter is obliged to suspend data transfers if EU privacy laws are breached, the CJEU said.
The CJEU confirmed that it may be necessary to supplement the protections and safeguards contained in the SCCs in order to address risks identified.
This decision also empowers EU Supervisory Authorities to suspend or prohibit transfers where in their view the SCCs cannot be complied with in a specific third country, e.g. given the level of surveillance and lack of judicial redress offered to data subject.
This decision continues the “privacy trade war” between the EU and the U.S. and will require organisations on both sides of the Atlantic which utilise Privacy Shield to pivot to another data transfer mechanism (e.g. SCCs or BCRs) without delay.
Businesses should consider their current data handling and transfer positions and also review their contracts and consider implementing SCCs, if not used already in their contracts.
One final important point to note. Even if SCCs have been used previously, the way they have been used and the precise wording also needs careful review. If any amendments or “improvements” were worked into the drafting, the protection given by using the clauses can be lost.