Schrems II: the end to the EU-US Privacy Shield

The Court of Justice of the European Union (CJEU) has today issued its long-awaited judgment in the so-called Schrems II case. The case concerns the validity of certain mechanisms that had been declared by the European Commission as providing appropriate safeguards to allow transfers of personal data to third countries outside the European Economic Area.

The first Schrems case invalidated the previous mechanism "Safe Harbour" for the transfer of personal data from the EEA to the USA.  This led to the establishment in 2016 of the Privacy Shield.  The CJEU has ruled in Schrems II that the Privacy Shield is not a valid transfer mechanism either. This is a significant ruling that will impact a large number of organisations that currently rely on the Privacy Shield as a means of making data transfers to the US. Such organisations will now need to adopt an alternative method for ensuring there are appropriate safeguards for their trans-Atlantic transfers and suspend such transfers in the interim. 

The CJEU did, however, confirm the validity of certain standard contractual clauses (also known as Model Clauses) as a means for transferring personal data outside the EEA. Whilst the clauses themselves are valid, the Court notes that a holistic approach to the transfer must be taken, taking into account the relevant aspects of the legal system of the third country to which the data is transferred (i.e. an assessment to ensure that the country offers an adequate level of protection in relation to individuals’ data privacy rights) and any further safeguards the controller of the personal data puts in place to ensure the obligations under the Model Clauses are honoured.  The assessment of the third country falls both to the data protection authorities in the EU and to the data exporter and recipient themselves. Indeed, central to the Court’s decision to declare Privacy Shield as invalid was the lack of adequate protection for individuals in respect of certain surveillance programmes operated in the USA. It will now be for national authorities and courts in the UK and EU Member States to assess if transfers to certain countries (including the USA) are capable of being provided adequate safeguards and effective remedies to data subjects, even where standard contractual clauses are used.

Following the end of the current Brexit transition period, the same considerations will continue to apply to transfers of personal data from the UK to third countries in respect of which a formal adequacy decision has not been adopted.