Let us remember – transfer of personal data from the EU to third countries is only permissible if there is a legal basis for such transfer. It follows from Article 44 of the General Data Protection Regulation (GDPR) that any transfer of personal data processed or intended for processing after transfer to a third country or an international organization must comply with the provisions of the GDPR. The latter envisages the following options of legal bases for transfer:
a) Adequacy decision adopted by the European Commission regarding a specific country; or
b) Appropriate safeguards provided, including, inter alia, binding corporate rules and standard data protection clauses (better known as standard contractual clauses); or
c) Exceptions from Article 49 of the GDPR.
Point a), namely the adequacy decision, also includes the decision of the European Commission on the appropriate level of personal data protection in the framework of the EU-US Privacy Shield Agreement. The latter has been in force since 1 August 2016, based on a decision adopted on 12 July 2016. Under the Privacy Shield, individual companies were certified as ensuring an adequate level of protection, and personal data could be transferred to these companies from the EU without a specific additional decision or authorization as well as without fulfilling additional conditions (except, of course, the appropriate legal basis for the processing of personal data from Articles 6, 9 and 28 of the GDPR).
With the decision of 16 July 2020 in the case of Schrems II (DPC Ireland v. Facebook Ireland and Schrems), the CJEU declared the decision of the European Commission on the adequacy of the privacy shield invalid, which means that it can no longer be the basis for transfers of personal data to companies in the U.S. This means that organizations that transfer personal data from the EU to the U.S. must ensure that they provide another appropriate legal basis for further transfers. It is not yet clear whether this decision has an ex tunc effect, which could be inferred from applying Article 264 of the Treaty on the Functioning of the EU by analogy. Such an interpretation could have important implications for anyone who has thus far transferred personal data to the U.S. on the basis of the privacy shield.
Although most articles cover the privacy shield annulment, the main subject of the assessment were in fact the standard contractual clauses. These did remain in force after the decision, but the CJEU pointed out important aspects in this regard, including that the signing of standard contractual clauses does not relieve the transferring organization from ensuring adequate protection. For this purpose, the one who transfers personal data to the U.S. (or another third country) must also take into account the law of the country to which the data is transferred and use an assessment, the subject of which was the privacy shield as well. In the latter case, the CJEU pointed out that the European Commission must take into account how a particular third country respects the rule of law, access to justice as well as international human rights norms and standards and its general and sectoral law, including legislation concerning public security, defence and national security as well as public order and criminal law. In the same way, before transferring personal data on the basis of standard contractual clauses, the country to which the data is transferred should be assessed by the exporter, which will certainly burden many transfers to third countries.
A short statement on the matter has already been issued by the European Data Protection Board, and they will address the consequences of the decision in more detail soon, which we will also report on.