New Challenges And Uncertainty For EU/US Data Transfers

The Court of Justice of the European Union has ruled that the EU/US Privacy Shield scheme is invalid, and that the standard data protection clauses are not an “appropriate safeguard” for data transfers if they are not or cannot be complied within the relevant third country.

In its long-awaited judgment in Schrems II (Case C-311/18), which was released this morning, the CJEU has affirmed that EU personal data may be transferred to a third country only if it is subject to appropriate safeguards, including that the relevant individuals are guaranteed a level of protection which is essentially equivalent to that of the GDPR, read in light of the Charter of Fundamental Rights. This means that data subjects must have enforceable rights and effective legal remedies.

The CJEU found that US national security law goes beyond the ‘proportionality’ parameters of EU law, meaning that individuals’ rights and remedies cannot be guaranteed. The Privacy Shield scheme cannot give the level of protection that was intended, so is invalid.

The standard contractual clauses remain a valid safeguard - but only when they are properly complied with. Where full compliance is not possible under local law (such as in the US), supervisory authorities should suspend or prohibit the transfers.

This decision, while not particularly surprising, will have severe and immediate consequences on the transfer of data from the EU (and the UK during the transition period) to the US. Further, the clear message is that the supervisory authorities will not find it easy to confirm the efficacy of the standard contractual clauses which many companies use to transfer data across the Atlantic. If both the Privacy Shield and the standard contractual clauses are not available, large swathes of EU/US data transfers may be in breach of the GDPR and, once the transition period is over, data transfers between the EU and the UK will become much more difficult. Given that it is difficult to see the US Government allowing the CJEU determine its public security policy, this is a real headache for all governments and regulators involved. One would like to think this issue was foreseen and an effective response is prepared and ready to be put in place but, given that we have not yet seen a cohesive international response to COVID-19, there is a risk that this may not be the case.

Click to view the full alert.

© 2020 Brown Rudnick LLP

Prior results do not guarantee a similar outcome.

Brown Rudnick is a tradename of both Brown Rudnick LLP, a limited liability partnership organized under the laws of the Commonwealth of Massachusetts ("BR-USA"), and its affiliate Brown Rudnick LLP, a limited liability partnership registered in England and Wales with registered number OC300611 ("BR- UK"). BR-UK is a law firm of Solicitors and Registered Foreign Lawyers authorized and regulated by the Solicitors Regulation Authority of England and Wales, and registered with the Paris Bar pursuant to the 98/5/EC Directive. A full list of members of BR- UK, who are either Solicitors, European lawyers or Registered Foreign Lawyers, is open to inspection at its registered office, 8 Clifford Street, London W1S 2LQ, England (tel. +44.20.7851.6000; fax. +44.20.7851.6100).

Information contained in this Alert is not intended to constitute legal advice by the author or the lawyers at Brown Rudnick LLP, and they expressly disclaim any such interpretation by any party. Specific legal advice depends on the facts of each situation and may vary from situation to situation.

Distribution of this Alert to interested parties does not establish a lawyer-client relationship. The views expressed herein are solely the views of the authors and do not represent the views of Brown Rudnick LLP, those parties represented by the authors, or those parties represented by Brown Rudnick LLP.