The impact of the Schrems II decision

On 16 July 2020, the Court of Justice of the European Union issued a judgment that had a great impact in the data protection world. In the Schrems II decision, the Privacy Shield was declared invalid.[1] The Privacy Shield is a framework that regulates transatlantic transfers of personal data from the European Union to the United States, in order to comply with European data protection requirements. Many companies – both big and small – made use of the Privacy Shield. The decision leads to the outcome that personal data transfers cannot take place anymore on the basis of the Privacy Shield. While privacy activists are thrilled with this outcome, it will have a big impact for companies and other parties who transfer personal data from the European Union to the United States.

The decision to invalidate the Privacy Shield was made for different reasons. According to the Court, the United States do not protect the right to privacy of EU citizens sufficiently. EU citizens have no possibility to start a judicial procedure when they are of the opinion that their personal data is processed by the American government in an unlawful manner. It is also difficult for EU citizens to file a complaint to the Ombudsman, because the Ombudsman mechanism is not working correctly. According to the Court, it cannot be said with certainty that the Ombudsman can make independent and binding decisions. Thirdly, based on US legislation, the security services in the United States have the right to access and use personal data of EU citizens. This is not limited to strictly necessary personal data, and therefore this causes a conflict with European data protection requirements.

The decision by the Court does not completely disrupt data transfers between the EU and the United States. It is still possible to make use of the standard contractual clauses (SCCs), which was reaffirmed in the Schrems II case. However, the Court stated that these SCCs can only be used when a similar level of protection can be offered as is provided under the GDPR. Many companies were using the Privacy Shield in order to be able to transfer personal data from the EU to the United States. However, in the near future these companies need to start using the standard contractual clauses. This can be a complicated process for companies. The inability to rely on the Privacy Shield in order to transfer data over the Atlantic Ocean even led Facebook to warn that it may have to stop offering its services within the European Union.[2]

A new adequacy decision may be put into place in the future. However, as both the Privacy Shield and its predecessor Safe Harbor have been declared invalid, it may be difficult to create an adequacy decision that is perfectly compliant with the General Data Protection Regulation. Big changes in the field of data protection regulation in the United States seem to be necessary before one can even start to think about a new adequacy decision.

 

[1] CJEU 16 July 2020, ECLI:EU:C:2020:559 (Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (“Schrems II”)).

[2] The Guardian, ‘Facebook says it may quit Europe over ban on sharing data with the US’ (22 September 2020). Access online: https://www.theguardian.com/technology/2020/sep/22/facebook-says-it-may-quit-europe-over-ban-on-sharing-data-with-us.