CJEU today has decided that the adequacy decision by EU on Privacy Shield is invalid. Consequentially all transfer of personal data from a country of the European Union to USA based on Privacy Shield immediately needs to be stopped until the legal basis is replaced by a valid mechanism.
CJEU also said that EU Standard Contractual Clauses (SCC) are fine to use, conditional (!) that the parties to such clauses need to investigate, prior to any transfer of personal data, whether the country of the data importer respects the level of data protection given in the SCC or not and the recipient needs to inform the data exporter of any inability to comply with the level of data protection, while the data exporter needs to terminate any transfer of personal data in such case.
(a) Each company which transfers personal data from a country in European Union or European Economic Area to USA has to investigate if one or multiple transfers are based on Privacy Shield and needs to replace this mechanism immediately by another – valid – mechanism. As long as this is not the case, any transfer based on Privacy Shield needs to be stopped.
(b) Replacing Privacy Shield with EU Standard Contractual Clauses is not obvious. It needs carful consideration of the actual legal situations of those countries to which the personal data shall be transferred based on EU Standard Contractual Clauses.
(c) As the legal situation evolves, especially in the area of data privacy, regular checks of the situation are necessary. More obligations to regular checks on the legal situations on data importers are to impose and to follow up. This will drive costs up.
(d) The data exporter and the controller need to stop any transfer of personal data immediately if one of the countries to which the personal data shall be transferred, might force the data importer (or recipient) to oblige to applicable law but being in contrary to the EU Standard Contractual Clauses. Otherwise fines by competent authorities will follow. And it is foreseeable that they will be hefty.
(e) As CJEU has given judgment that Privacy Shield is not sufficient as legal basis for transfer to USA it is highly questionable if EU Standard Contractual Clauses will be able to give legal basis for transfer of personal data to USA.
And that’s the real issue behind this decision. It might that we find out that all mechanisms we have at hand in GDPR can‘t ensure similar level of data protection in USA, as of the legal situation there. We are spectators of a clash of data protection philosophies (or regimes), fired by a single person and decided on by CJEU, while EU lawmakers have seen this coming and have not build in respective rules in GDPR. It is therefore also their task to find solutions.
CJEU press release: https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091en.pdf