The United States does not provide adequate protection for personal data transferred from the European Union. This was ruled by the European Court of Justice on July 16, 2020. The Court thus declared the Privacy Shield invalid. However, transfers of personal data on the basis of the standard contractual clauses are valid.
The General Data Protection Regulation (GDPR) provides that, in principle, the transfer of personal data to a third country can only take place if the third country ensures an adequate level of protection. If a country outside the EU provides an adequate level of data protection in its domestic law, the European Commission (EC) can take an "adequacy decision.
The EU-US Privacy Shield is an example of an adequacy decision. The Privacy Shield is an arrangement for the transfer of personal data from the EU to the US. The goal of the Privacy Shield is to provide a level of protection broadly equivalent to that within the EU.
The Court tested the validity of the Privacy Shield against the requirements of the AVG. The Court finds that the Privacy Shield provides that national security, the public interest and compliance with U.S. law take precedence. As a result, the privacy of EU citizens comes into play. The Court refers to an internal regulation under which U.S. government agencies have access to personal data without being "limited to what is strictly necessary." Also, under the arrangement, EU citizens have no "judicially enforceable rights against the U.S. authorities." Thus, EU citizens cannot take action against an invasion of their privacy.
If there is no adequacy decision, then there must be another appropriate safeguard if an organization wants to transfer personal data to a country outside the EU. This can be done with a model contractual clause established by the European Commission (the standard contractual clauses).
The validity of standard contractual clauses was also examined by the Court. The Court recognizes that by their contractual nature, standard contractual clauses are not binding on the authorities of the third country to which personal data may be transferred. However, this does not affect the validity of standard contractual clauses. Indeed, the determining factor is whether the standard clauses adequately safeguard privacy. In addition, it must be possible to suspend or prohibit the transfer of personal data on the basis of the standard clauses if they are violated or are not (or cannot be) respected. The Court finds that the standard contractual clauses provide such safeguards.
The standard contractual clauses contain an obligation for the provider and recipient to verify in advance that the level of protection is observed in the third country. The recipient is obliged to notify the provider if he would not be able to comply with the standard clauses. In this case, the provider must suspend the transfer of data and/or terminate the agreement with the recipient.
Now that the Privacy Shield has been declared invalid, companies can no longer transfer personal data to the US. This has major implications for both European and U.S. companies.
Standard contractual clauses are a possible alternative to transfer to a third country. However, the question is whether these standard clauses can always be used. As explained above, the standard contractual clauses contain an obligation for both the provider and recipient to verify beforehand whether the required European level of protection is observed in the third country. And that level of protection seems to be precisely what cannot be guaranteed in the US.
More from SOLV