Following the judgment of the case C-311/18 ‘Data Protection Commissioner v Facebook Ireland and Maximillian Schrems’, the European Court of Justice invalidated the EU-US Privacy Shield negotiated between the EU Commission and the USA for the transfer of personal data from the EU to the USA. The impact of the decision is immediate. As a result, personal data of the EU data subjects can no longer be lawfully transferred to the USA on the basis of the EU-US Privacy Shield.

Simultaneously, the ECJ ruled that the EU Standard Contractual Clauses (SCCs) are to be regarded as valid in principle for transferring personal data of the EU data subjects outside the European Economic Area (the EEA), with the following caveats:

  • SCCs are inherently intended to provide contractual guarantees and thus cannot bind the public authorities of third countries.
  • An EU organisation which transfers personal data outside the EEA and the data importer in the third country must verify whether the law in the recipient country ensures adequate protection of personal data transferred under SCC.
  • ‘Adequate protection’ requires the third country to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedom that is essentially equivalent to that guaranteed in the EU.
  • If adequate protection cannot be ensured:
    • Organisations must provide additional safeguards or end transfer.
    • The relevant Data Supervisory Authority is required to suspend or prohibit data transfer to the third country.
    • Data already transferred needs to be immediately returned or destroyed.

Consequences of the decision and recommendations for action:

The ECJ ruling forces all organisations in the EU to closely examine their data transfers to third countries, in this particular case with the USA.

To the extent that organisations in the EU have so far used the EU-US Privacy Shield for data transfers from the EU to the USA, the organisations need to act quickly. This data transfer mechanism is now no longer considered legal. Organisations must therefore immediately examine whether they can carry out their data transfers to the USA on the basis of other mechanisms like SCCs, Binding Corporate Rules, Approved Code of Conduct or Derogations for Specific Situations.

Furthermore, irrespective whether with the USA or other third countries, data transfers based on SCCs should also be reassessed in the light of the ECJ ruling. The ECJ has made it clear that before personal data is transferred to third countries, compliance with an adequate level of protection must be verified and ensured. This also holds true during continuous data transfers between the exporting country and the importing country.