This article was written by Dr. Warren Ciantar and Dr. Claude Micallef-Grimaud.
On Thursday 16th July 2020, the Court of Justice of the European Union (‘CJEU’) ruled that the ‘Privacy Shield’ agreement allowing for the transfer of personal data between the European Union and the United States of America does not provide sufficient protection from US surveillance to EU citizens.
To fully appreciate the context and ramifications of this decision, one must go back to 2013, when a young Austrian privacy activist by the name of Max Schrems raised a complaint against Facebook with the Irish Data Protection Commissioner. The complaint centered around the transfer of his personal data by Facebook to the USA, where Schrems felt that the said personal data were not being handled with the same level of security as in the EU. It must be noted that at the time, transfers of personal data between the EU and the USA were regulated by the so-called ‘Safe Harbour Agreement’. To keep a long story short, Schrems’ complaint eventually ended up before the CJEU in 2015, which had then ruled that the Safe Harbour Agreement was not valid and did not provide adequate protection (in terms of privacy) to European citizens.
This makes the recent CJEU ruling a case of déjà vu, as the Safe Harbour Agreement was intended to be replaced by the Privacy Shield but now the latter has also been deemed invalid. This is a blow for any organisations that were relying exclusively on the Privacy Shield in order to transfer personal data between the EU and the USA. So, the question now is: what other means are there to allow such transfers of data to still take place?
Firstly, one should keep in mind that the General Data Protection Regulation (‘GDPR’), which came into force on 25th May 2018, solidified the fact that all transfers of personal data that remain within the EU are perfectly legal and, apart from the general obligations under the GDPR, the said intra-EU transfers require no additional formalities. It is only when data transfers from the EU to outside the EU (such as the USA) are to be made that issues might arise, as such countries are presumed to have a lower level of security than the EU.
Luckily, one of the best solutions already exists and has been around for quite some time, pre-dating even the GDPR, in the form of an EU mechanism known as the ‘standard contractual clauses’, or ‘SCCs’. These are a set of contractual clauses issued by the European Commission itself which parties can enter into and abide by to regulate a transfer of personal data from within the EU to any non-EU country. They are already currently in widespread use around the globe. The Privacy Shield meant that SCCs were, for the most part, unnecessary when carrying out transfers of personal data from the EU to the USA – at least in so far as the entities covered by the Privacy Shield were concerned. However, with this recent CJEU decision, the SCCs will be far more instrumental in orchestrating EU-US data transfers.
The GDPR also provides, in Article 46, for other possible mechanisms, besides the SCCs, whereby personal data can be transferred from within the EU to non-EU countries, such as the USA. One such alternative is the Binding Corporate Rules for intra-group transfers, which are useful for when a multinational entity is simply internally transferring personal data through different countries but is otherwise of little use. Nevertheless, the SCCs remain the most practical solution by far.
It should also be noted that certain countries have already been ‘white-listed’ by the European Commission, as having an adequate level of security and data protection, such that transfers to these countries can be considered to be on the same level as intra-EU transfers. The list includes countries such as New Zealand, Switzerland, Uruguay, Israel, Faroe Islands and Argentina among others and is periodically updated.[1] Up until recently, the USA was technically also on that list, subject to the Privacy Shield framework, but unless and until a new agreement is introduced, the EU shall be considering the USA as another third country in terms of transfers of personal data. Thus, for the time-being, without having SCCs (or some other mechanism) in place, no transfers of personal data may be made from the EU to the USA.
The situation regarding the United Kingdom post-Brexit is a different matter altogether and one that merits separate consideration. Please feel free to regularly check this website for updates on all such matters.
This document does not purport to give legal, financial or tax advice. Should you require further information or legal assistance, please do not hesitate to contact Dr. Warren Ciantar & Dr. Claude Micallef-Grimaud