Privacy Shield for EU - US data transfer has been ruled invalid by the European Court of Justice

image-asset.jpeg

The ”Privacy Shield” is an agreement between the European Commission and the U.S. Secretary of Commerce that allowed the transfer of data from EU to U.S. and followed the declaration of invalidity of the “Safe Harbour Pact” , the previous agreement between EU and US for the transfer of data.

The decision issued by the European Court of Justice on July , 16, 2020  will have serious political consequences for the  EU-US relations and for US providers and European companies.

The decision

In accordance with the General Data Protection Regulation (hereinafter referred to as the 'GDPR'), the transfer of data outside the EU can take place only if the third country can ensure  an adequate level of protection.

The European Commission can find that a third country ensures an adequate level of protection because of its national legislation or because it is part of an international agreement  (such as the Safe Harbour Pact which was declared invalid in Decision 206/1250 and it was related to  the export of data from EU to USA).

In the absence of an adequacy decision, a transfer of data can take place only  if the data controller, established in EU, provides adequate safeguards, which may result from standard contractual clauses adopted by the Commission (Decision 2010/87), and if the data subjects have enforceable rights and effective remedies.

In the absence of an adequacy decision or adequate guarantees, the GDPR shall ultimately determine the conditions under which such a transfer may take place.

The level of protection required in the context of a non-EU data transfer is equivalent to level of guarantee within the EU Member States.

The assessment of this level of protection concerns both what is contractually agreed between the parties (data exporter established in the Union and the recipient of the transfer established in an extra EU country) and the access for extra EU public authorities to the data, as well as other elements of the legal system of the country where data are transferred.

Specifically, the legislation governing the US surveillance programmes do not minimize the processing of data of EU data subjects and  do not limit the power of US authorities establishing adequate guarantees for European citizens who may potentially be subject to US mass surveillance.

For all these reasons, the Court – with the Decision 2016/1250 – declared the Privacy Shield Agreement invalid.

The Court also held that, in the absence of a valid adequacy decision adopted by the Commission, the Data Protection Authority must suspend or prohibit a transfer of personal data to a third country when it considers that the conditions required are not met.

The Court stated that the Decision 2010/87 on standard contractual clauses for the transfer of personal data to entities established in third countries was valid. It is certain that the reasons for the deletion of the Privacy Shield will also have effects on the standard contractual clauses.

Therefore, US providers who have used the legal basis of the Privacy Shield for data transfer from the EU to the US will have to adopt a different solution, such as standard contractual clauses.

The Italian company, as data exporter, and the data Protection Authority, will have to make a complex assessment of the adequacy of the guarantees offered by the party importing the data and the regulations in force in that country, with relevant liability profiles.

Practical implications

Impact on business activities

  • Decision 2016/1250 does not cover necessary data transfers to the USA (e.g. sending e-mails to a person in the USA, booking travel in the USA).

  • Can European companies continue to use US providers? At the moment the answer appears to be no, as all major providers are subject to potential US government oversight.

  • Can companies continue to use US providers based in the EU? In such cases, European companies are responsible for ensuring that "intra-Group" personal data flows to the US are GDPR compliant. Companies will now need to carefully review such data flows and determine whether to retain data in Europe or any other country that provides better privacy protection, instead of being transferred to the US.

Impact on consumer rights

Users are free to send their personal data directly to a third country, for example when using a Chinese or US website. However, consumers may not directly share other people's data (e.g. friends, colleagues) with a US provider unless they have obtained  free, specific, informed and unequivocal consent.