The General Data Protection Regulation (GDPR) provides that the transfer of personal data to a third country may take place only if that third country ensures an adequate level of personal data protection. By Commission Implementing Decision (EU) 2016/1250 of 12.07.2016 on the adequacy of the protection provided by the EU – U.S. Privacy Shield (“Implementing Decision (EU) 2016/1250”), the European Commission resolved that the United States guarantee an adequate level of protection for personal data transmitted by the Union to organizations in the United States under the EU – U.S. Privacy Shield.
By decision in case C-311/18 of 16 July 2020, the Court of Justice of the European Union (CJEU) declared Implementing Decision (EU) 2016/1250 invalid. Thus, in practice, the CJEU ruled that the Shield is not a suitable instrument for the transfer of personal data from the EU to the United States.
The CJEU finds that:
– The U.S. law does not contain restrictions on the implementation of certain surveillance programs for foreign intelligence purposes, nor does it provide guarantees for non-U.S. nationals potentially covered by these programs.
– Said surveillance, programs based on provisions of U.S. law, are not limited to what is strictly necessary, as required under the EU legislation.
– The restrictions on the protection of personal data, arising from U.S. domestic law, regulating the access and use of such data transmitted by the EU to the U.S. by U.S. public authorities, are not defined in a manner consistent with the EU Charter of Fundamental Rights.
Nonetheless, the Court of Justice confirms the validity of Decision 2010/87/ EU on standard contractual clauses for transfer of personal data to processors established in third countries.
The judgment in Case C-311/18 means that the transfer of personal data between the U.S. and the EU cannot be carried out on the basis of the Privacy Shield. However, the transfer may take place on the basis of any of the other instruments provided for in the GDPR, such as: binding corporate rules, codes of conduct or standard contractual clauses.
It should be noted, however, that the CJEU explicitly states that even when a transfer is based on standard contractual clauses, but in view of all the circumstances surrounding that transfer, the standard contractual clauses are not or cannot be complied with in the third country concerned and the protection of the transferred data required by EU law cannot be ensured by other means, the data controller (and if he does not do so – the supervisory body) must suspend or terminate the personal data transfer.