The Court of Justice of the European Union (CJEU) invalidated Decision 2016/1250, which found that the EU-US Privacy Shield – a primary mechanism used by US companies to transfer personal data from the EU to the US – provided adequate protections for personal data. However, the Court still “considers that Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries as valid.” The press release discussing the decision can be found here.
The decision at issue is Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (Schrems II). Maximillian Schrems is an Austrian national, and a Facebook user. For Facebook users residing in the EU, some or all of the user’s data is transferred from Ireland to servers located in the United States for processing. On two occasions, Schrems submitted a complaint to the Irish data protection authority (Irish DPA) essentially seeking to prevent the transfers, arguing that “the law and practices in the United States do not offer sufficient protection against access by the public authorities to the data transferred to that country.” This complaint was rejected by the Irish DPA on the grounds that the European Commission had found the US to have an adequate level of protection through the US-EU Safe Harbor, to which Facebook had subscribed. The CJEU, in a decision on October 6, 2015, invalidated the Safe Harbor Decision (Schrems I) finding that the Safe Harbor did not ensure adequate protections for EU personal data transferred to the US.
In response to the Schrems I decision, the US and EU reached an agreement on the Privacy Shield, a similar arrangement to Safe Harbor, but with more stringent and detailed privacy protections for EU personal data. In Schrems II, Schrems claimed that Privacy Shield as well as another transfer mechanism, the Standard Contractual Clauses did not offer sufficient protection of data transferred to the United States and sought to prohibit or suspend future transfers. The Irish supervisory authority referred questions to the Court of Justice for a preliminary ruling.
In response, the Court of Justice declared on July 16, 2020 that the 2016/1250 Decision on Privacy Shield was invalid, but determined that the 2010/87 Decision on the Standard Contractual Clauses was valid. The Decision to invalidate 2016/1250 was in part due to the Court’s view that the US government’s surveillance programs “are not limited to what is strictly necessary.”
By striking down one method of personal data transfer from the EU to the US and reaffirming the validity of another, the CJEU decision will require companies to immediately reassess their data transfers, particularly if they were previously relying on the Privacy Shield as the basis for those transfers.
Jim Shreve is the chair of Thompson Coburn's Cybersecurity group and has advised clients on cybersecurity and privacy issues for over 20 years. Luke Sosnicki is a Los Angeles partner in Thompson Coburn’s Business Litigation group who has written and spoken extensively about data privacy litigation and regulatory risks. Libby Casale is an associate in Thompson Coburn’s Business Litigation group.