DWF comments on CJEU judgment on international data transfers from Europe to USA
In a landmark judgment today, the Court of Justice of the European Union (‘CJEU’) ruled that the Privacy Shield scheme for transfers of personal data from the EU to the United States is unlawful, but it has upheld the validity of the Standard Contractual Clauses scheme, thereby providing a safety net for transatlantic business.
The Privacy Shield was negotiated with the US Department of Commerce between 2015 and 2016 to remedy the collapse of its predecessor, the Safe Harbour agreement, in 2015.
Behind the legal challenge to Privacy Shield and Safe Harbour was the spectre of Edward Snowden’s 2013 disclosures about mass surveillance by national security and law enforcement agencies in the United States. The core argument in both cases was that companies such as Facebook Ireland cannot ensure adequate privacy protections for users in Europe with respect to their personal data sent to Facebook Inc in the United States, due to the different nature of the US legal system’s rules on national security, privacy and data protection.
The collapse of the Privacy Shield it likely to have massive implications for transatlantic relationships, but the CJEU upheld the Standard Contractual Clauses framework for international transfers, meaning that a workaround exists for organisations to ensure their data flows to the United States are lawful. The Standard Contractual Clauses can also be used to maintain data flows with other countries outside of Europe.
Stewart Room, Global Head of Data Protection and Cyber Security at DWF, said:
"This judgment is the second major blow delivered to the US privacy and data protection legal framework by the EU Court of Justice relating to the Snowden disclosures and in today’s climate of unstable transatlantic political relationships, it is unlikely to meet with approval in the US. However, this is not just a US problem. Twice now the European Commission has tried to reach an agreement with the US on data protection, only to have its efforts ruled unlawful. There needs to be a different mindset to how the challenges of international transfers to the US are met, because failed schemes like this have significant impacts for individuals and for businesses.
"Fortunately, there are workarounds to maintain data flows to the US, which include the Standard Contractual Clauses. This means that adjustments can be made where necessary, to keep data flows to the US alive.
"However, businesses will be asking themselves ’what is next’? There are other countries that pose challenges to privacy rights and data protection and they raise obvious questions about the potential for other legal action."