Skip to main content

Paperjam | International data transfers to the U.S. after “Schrems II” case

On 16 July 2020, the European Court of Justice (“ECJ”) released its long-awaited decision in the so-called “Schrems II” case [1] . The Court invalidated the EU-U.S. Privacy Shield Framework but upheld, under certain conditions, the standard contractual clauses (“SCC”).

Reminder of the provisions applicable to international data transfers as per the General Data Protection Regulation

The General Data Protection Regulation (“GPDR”) provides that a transfer of personal data from the EU to a third-country may only take place where the EU Commission has decided that the third-country ensures an adequate level of protection, as evidenced by an adequacy decision.

In the absence of an adequacy decision, a transfer of personal data to a third-country may only occur if the controller or processor has provided appropriate safeguards, and on the condition that enforceable data subject rights and effective legal remedies for data subjects are available. Such appropriate safeguards may be provided for by, e.g. a legally binding instrument, binding corporate rules, or SCC.

Context of the “Schrems II” case

The “Schrems II” case is subsequent to a previous decision of the ECJ, which was initiated by Mr. Schrems, an Austrian citizen, who lodged a complaint with the Irish data supervisory authority in order to prohibit Facebook Ireland from transferring his personal data to the U.S. company, Facebook Inc..

In the “Schrems I” case [1] , the ECJ declared the EU-U.S. Safe Harbour Privacy Principles – an agreement concluded between the EU commission and the U.S. that allowed american companies to transfer the personal data of EU nationals to their territory – invalid, stating that it did not provide adequate protection.

Following the “Schrems I” case and the invalidation of the Safe Harbour Privacy Principles, a new agreement was concluded on 2 February 2016: the Privacy Shield Framework (“Privacy Shield”).

Within the framework of the “Schrems II” case, it is this new mechanism of the Privacy Shield that Mr. Schrems decided to challenge, as well as the SCC used by Facebook.

ECJ ruling and impact on international data transfers

The ECJ invalidated the Privacy Shield as it found that it did not ensure a level of protection equivalent to that guaranteed by the GDPR and the EU Charter of Fundamental rights. The ECJ noted that the U.S. governement could still access personal data transferred under the Privacy Shield and that the Privacy Shield mediation mechanism did not provide EU data subjects with effective administrative and judicial remedy.

On the other hand, the ECJ validated the use of SCC between an EU-data exporter and a non-EU data importer. Nonetheless, since SCC do not necessarily bind third countries, by reason of their relative effect, the Court considered that it is for the parties to take the necessary steps to compensate for the inadequacy of the guarantees of the country of destination.

SCC thus impose an obligation on the data exporter and the recipient of the transfer to verify, in advance and on a case-by-case basis whether the level of protection is respected in the third country concerned and oblige that recipient to inform the data exporter of its possible inability to comply with the SCC. The data exporter is then responsible for suspending the data transfer and/or terminating the contract concluded with the data importer.

 

[1] ECJ, 6 October 2015, C-362/14.

Share on