The European Court of Justice dismisses Privacy Shield as a legal basis for processing personal data in the USA – and clarifies that the standard clauses may also be insufficient in some cases

On 16 July 2020, the European Court of Justice issued its ruling in Case C-311/18 (“the Schrems II case”), which concerned Facebook’s transfer of personal data from servers in Ireland to servers in the USA.

The Court concluded that personal data can no longer be legally transferred to the USA (or processed with access from the USA) on the basis that the recipient has self-certified according to the Privacy Shield framework. This is because all companies in the USA, even if they are certified, are subject to legislation that gives US authorities far-reaching opportunities to request access to personal data.

An alternative legal basis for transferring personal data to the USA, as well as to other countries outside the EU, is to sign an agreement with the recipient that contains the EU Commission’s protective standard clauses. In the Schrems II case, the European Court of Justice also comments on the EU Commission’s standard clauses. These standard clauses are not dismissed as a legal basis for transferring personal data outside the EU, although the Court clarifies that they do not automatically make a transfer legal. If the circumstances in the country are such that the recipient is unable to comply with the standard clauses, they may be insufficient to ensure a legal basis for the processing of personal data outside the EU. The European Court of Justice’s statements in the ruling regarding the insufficient level of protection of personal data in the USA indicate that a transfer to the USA on the basis of the model clauses could also be considered to be unauthorised.

What are the consequences of the ruling?

The ruling is expected to lead to intensified discussions between the EU and the USA on how personal data can be processed in the USA with a sufficient level of protection according to the GDPR.

The ruling means that anyone who today allows personal data to be processed in the USA on the basis of Privacy Shield must secure another legal basis for the processing.

Given that the Court has found that the EU Commission’s standard clauses may be insufficient to allow personal data to be transferred to certain countries, alternatives to the standard clauses may need to be considered if the processing of personal data is to continue legally in the USA or in other countries outside the EU where there is a risk the standard clauses will not be complied with.

If you have any questions regarding the ruling or want to investigate in more detail what its consequences are for your business, you are welcome to contact one of our privacy protection experts. 

Contact