Article written by Haim Ravia, Dotan Hammer and Adi Shoval
The Court of Justice of the European Union (the “CJEU”) invalidated the Privacy Shield program for personal data transfers from the EU to the US. At the same time, the CJEU upheld the Standard Contractual Clauses (the “SCC”) as a valid mechanism for transfers of personal data to jurisdictions outside the EU but added restrictions that complicate their use
The CJEU’s decision explains that US legislation allowing the American intelligence and security agencies to indiscriminately collect and process mass personal data, including that of EU individuals, interferes with the fundamental rights of those individuals.
The CJEU’s judgment also opined on the validity of the SCC. The CJEU held that although there is no reason to invalidate the SCC as such, the parties to each SCC are obligated to examine the various circumstances concerning the transfer of personal data. In particular, they are required to assess whether the SCC data recipient is capable of complying with the SCC obligations, considering the legal regime in its jurisdiction and any mass surveillance data access by the public agencies of that country. In certain circumstances, the data transferor should consider reinforcing the Standard Contractual Clauses with additional obligations to ensure that the level of protection for the personal data required by the EU is preserved.
Following the CJEU’s decision, the European Data Protection Board (“EDPB”) published its take on how the CJEU’s decision should be implemented. It explained that organizations that rely on the Privacy Shield mechanism to transfer data from the EU to the US should cease doing so immediately and consider whether they can use a different transfer mechanism instead. Organizations seeking to rely on the SCC must conduct an assessment of whether the receiving country’s laws ensure an EU equivalent level of protection to personal data and reinforce the SCC with supplementary measures where necessary. The EDPB noted that it is looking further into what these supplementary measures could consist of and will provide more guidance soon.
CLICK HERE to read the CJEU’s decision in Schrems II. CLICK HERE to read the EDPB Q&A document.
