EU-US Privacy Shield invalid: now what?

The EU-US Privacy Shield has been invalidated. This means that companies need another legal basis for the transfer of data of EU citizens to the US. It is strongly recommended to quickly implement appropriate alternative safeguard mechanisms, e.g. Standard Contractual Clauses or Binding Corporate Rules.

On 16 July 2020, the Court of Justice of the European Union invalidated the EU-US Privacy Shield in Case C-311/18 (called: ‘Schrems II’). The decision greatly impacts companies that based their data transfers between the EU and the US on the Privacy Shield. Where to go from here?

A step back: what is the EU-US Privacy Shield?

All EU member states and the three additional EEA countries (Norway, Iceland and Liechtenstein) have implemented the EU General Data Protection Regulation (‘GDPR’) in their national laws. Countries not complying with the GDPR are referred to as third countries. Following from the GDPR, personal data can only be transferred to a third country if that country offers an adequate level of data protection. The GDPR offers a wide range of safeguard mechanisms based on which data can be transferred to third countries, amongst others:

• Adequacy decisions from the European Commission, stating that a third country ensures an adequate level of data protection for EU personal data;
• Binding corporate rules (‘BCRs’), in which an organization lays down the safeguards for the protection of personal data when transferring to third countries within a group of companies;
• Standard contractual clauses (‘SCCs’), being model clauses for data protection that have been approved by the European Commission.

The US is a third country and does not offer an adequate level of data protection. In order to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements following from the GDPR relatively easily, the EU-US Privacy Shield was created. US companies were given the opportunity to voluntarily comply with this framework through certification, which companies were recorded by the US Department of Commerce. If a US company was not certified under this framework, contractual arrangements complying with the GDPR had to be made. The framework allowed free transfer of data from the EU to US companies that were certified under the Privacy Shield. The European Commission recognized the US, limited to the Privacy Shield framework, as providing adequate protection as required by the GDPR in an adequacy decision.

Schrems II

In Schrems II the Court of Justice of the European Union ruled that:

1. The Privacy Shield does not provide an adequate level of data protection between the EU and the US, and therefore is invalid; and
2. The Standard Contractual Clauses approved by the European Commission remain valid. However, additional protections need to be implemented when SCCs are used as a legal basis for data transfers. The data exporter is responsible for the assessment of whether the level of data protection offered by the countries to which data are sent is adequate. The exporter must take into consideration the content of the SCCs, the specific circumstances of the transfer and the legal regime applicable in the importer’s country.

Please note: according to the European Data Protection Board (‘EDPB’) these additional protections also need to be taken into account when BCRs are used as a legal basis.

A step forward: where do we go from here?

As a result of the immediate effect of the decision, data transfers on the basis of the Privacy Shield are illegal as from 16 July 2020.

Therefore, we would like to provide you with some points of attention:

1. If EU and US companies wish to continue to transfer data between the EU and the US, it is strongly recommended to quickly implement appropriate alternative safeguard mechanisms, e.g. Standard Contractual Clauses or Binding Corporate Rules, in order to at least provide for a legal basis for transferring data. Having a legal basis in itself, however, does not necessarily ensure an adequate level of data protection.
2. When implementing either SCCs or BCRs, the level of data protection in the importing country needs to be assessed, taking into account the factors mentioned under ii and supplementary measures that can be put in place in order to provide an adequate level of data protection. Supplementary measures could be legal, technical (e.g. encryption) or organizational measures. The SCCs or BCRs along with possible supplementary measures should ensure that US law does not intrude in the adequate level of data protection they guarantee. This requires a case-by-case analysis and assessment of the circumstances of the transfer. As a controller, make sure to check whether your processor uses services from the US (e.g. Google Analytics).
3. If, in any case, appropriate safeguards cannot be ensured, the data exporter is required to suspend or end the transfer of personal data. You must notify your competent Supervisory Authority if you intend to continue transferring data, despite this conclusion.
4. Consider alternatives:
   1. Investigate whether it is possible to move data processing and storage to Europe
   2. Look for European alternatives for data services to work with and/or
   3. Conclude contracts only with a European subsidiary of any third country company if that ensures an adequate level of data protection.
5. Meanwhile, the development of any alternative instruments or new safeguards by the EU Commission should be closely followed.

Please note: the US Department of Commerce has stated to continue to administer the Privacy Shield programme. The decision of the Court of Justice of the European Union does not relieve participating (certified) US companies of their Privacy Shield obligations. It is, however, possible to withdraw from the Privacy Shield. In that case the company must continue to apply the Privacy Shield principles to the data it received while participating in the Privacy Shield.

What can we do for you?

You can contact Russell Advocaten with all your GDPR-related matters. We will gladly help you assess how to comply with all requirements in order to be able to transfer data within and outside the EU. Please contact us: