Today (July 16, 2020), the EU Court of Justice, (the EU’s highest court) struck down the validity of the Privacy Shield – a mechanism that well over 5,000 U.S. companies have been using and relying upon in order to legally justify the transfer of personal data across the Atlantic into the US. This same court had previously invalidated the “Safe Harbor” protocol, concluding the Safe Harbor failed to adequately protect privacy rights of EU citizens, since it accorded law enforcement in the United States priority over the rights of EU citizens – permitting law enforcement virtually unrestricted access to the data.
This new case began when Max Schrems, an Austrian privacy advocate, complained to Irish data protection regulators that Facebook’s reliance on standard contract clauses to permit data being transferred from the European Union to the United States did not provide adequate protection. Schrems argued that it didn’t prevent intelligence officials and other third parties in the United States from getting at the information. The Commissioner at the Irish Data Protection Authority took the complaint to Ireland’s high court and they referred certain questions regarding the validity of standard contractual clauses to the EU Court of Justice. Although Schrems’ complaint never raised the Privacy Shield issue, it was raised in oral argument before the court, opening the door for the court to include it in their opinion and decision.
While the European Court invalidated the Privacy Shield, it didn’t buy Schrems’ argument that standard contractual clauses should be deemed invalid as a matter of EU law or regulation. They basically said that standard contract clauses could be among the “effective mechanisms” if they required both sides involved in the transfer to ensure information is accorded the equivalent level of protection as required under EU law. They went on to note that the parties should not use those clauses if they can’t comply with that requirement.
As a result, while neutering the Privacy Shield, they did uphold the validity of the use of standard contractual clauses to legally move personal information outside the European Union, if these clauses were effective in providing the same level of privacy protection as the EU requires.
The case is Between the Data Protection Commissioner and Facebook Ireland Ltd. and Maximillian Schrems (Case Number C-311/18) and as always, if you have any questions or need more information about this posting, feel free to contact me, Joe Rosenbaum, or any of the lawyers at Rimon with whom you regularly work.