Yesterday, on July 16, 2020, in a landmark decision, the Court of Justice of the European Union ruled that the key data-sharing mechanism, the EU-US Privacy Shield, is invalid, as it failed to protect privacy and data protection rules.
The case behind the decision.
Maximillian Schrems, an Austrian national residing in Austria, who has been a Facebook user since 2008, lodged a complaint with the Irish supervisory authority seeking, in essence, to prohibit the transfer of his personal data by Facebook Ireland to servers belonging to Facebook Inc., located in the United States. In its recent decision, the Court expressed the view that «the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union» are «not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary» (the full Court press release is available here: https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091en.pdf.
According to the BBC, Max Schrems called it a win for privacy, stating that «it is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a role in the EU market» he said, while the US Secretary of Commerce Wilbur Ross said his department was “deeply disappointed” by the decision and said he hoped to «limit the negative consequences to transatlantic trade worth $7.1 trillion (£5.6tn)» https://www.bbc.com/news/technology-53418898.
Impact and remedies.
The Court held that standard contractual clauses will continue to be a valid means for the transfer of data outside the European Union.
Therefore, companies currently benefitting from the EU-US Privacy Shield will likely transition to standard contractual clauses. Microsoft, for example, has issued a statement saying it already uses them and is unaffected by the recent Court decision (the full statement is available here: https://blogs.microsoft.com/eupolicy/2020/07/16/assuring-customers-about-cross-border-data-flows/.
While we are slightly surprised by the decision, we must confess it has been years since we last suggested a client to use the Privacy Shield: standard contractual clauses have always been an easier and more flexible tool.