What was the occasion?
After about two years of waiting, the European Court of Justice today issued answers to preliminary questions posed by an Irish judge. The reason was a complaint that the Austrian student (Maximillian) Schrems had previously submitted to the Irish regulator against Facebook.
The questions put to the Court by the Irish court are:
- Do the Standard Contractual Clauses drawn up by the European Commission (also known as Standard Contractual Clauses) meet the requirements set by the GDPR? and
- Does the Privacy Shield, which must guarantee the (commercial) transfer of data from the EEA to the US, meet the requirements set by the GDPR and the Charter of the European Union?
As stated, these questions are the direct result of a complaint that Schrems lodged with the Irish regulator about the processing of his personal data by Facebook, in particular about the transfer of those personal data to the United States by Facebook.
This complaint previously led to the invalidation of the Safe Harbor principles, which until their invalidation were the basis for the lawfulness of the transfer of personal data to the US. Since then, the Privacy Shield has replaced the Safe Harbor principles.
What was the verdict?
In today’s ruling (July 16, 2020), the Court ruled that the Standard Contractual Clauses as drafted by the European Commission are valid. They meet the requirements that must be set for appropriate safeguards, as referred to in the GDPR.
Privacy Shield, on the other hand, does not meet the requirements of the GDPR. The main reasons are the lack of appropriate safeguards for the protection of personal data and effective remedies for data subjects. The ‘Ombudsperson mechanism’ set up by Privacy Shield does not provide data subjects with sufficient legal protection. The legal protection offered is not considered by the Court to be equivalent to the legal protection required by European law.
What are the consequences for the transfer of personal data?
The above has major consequences for the transfer of personal data to the US. The part of this transfer of personal data that takes place under the Privacy Shield is no longer lawful as of today. As of today, these ‘transfers’ are therefore in violation of the GDPR and can lead to substantial fines, according to the European Court of Justice in its ruling.
It is therefore very important that organizations know whether they share personal data with organizations in the US and which instrument they use for this transfer. If a transfer took place on the basis of Privacy Shield, this transfer must either be stopped or an alternative instrument must be used for the transfer. A suitable alternative is ‘binding corporate rules’. However, not acting is not an option.
If you have any questions or would like to know more about binding corporate rules, please contact us on +31 (0) 70 306 00 33 or firstname.lastname@example.org.