OUR NEWSLETTER

EU Standard Contractual Clauses Ruled Valid

• July 202

EU standard contractual clauses are valid, the European Court of Justice (ECJ) has ruled. But it also unexpectedly invalidated the EU-US Privacy Shield framework. Following the ruling, it is clear data controllers are now increasingly accountable for how they use and process personal data.

The ECJ handed down a long-awaited judgment on the validity of EU standard contractual clauses (SCCs) as a cross-border data transfer mechanism under the General Data Protection Regulation (GDPR) (Case C-311/18 Schrems II). Most business around the world rely on SCCs to transfer personal data from the EU to the US and to other jurisdictions.

By way of background, an Austrian national made a complaint in 2015 to the Irish supervisory authority effectively seeking to prohibit the transfer of his personal data by Facebook Ireland to Facebook-owned servers located in the US. He challenged Facebook Ireland’s legal reliance on SCCs arguing that the SCCs did not adequately protect EU data subjects to the extent the GDPR does. It could, for example, be accessed and processed by the US government.

His complaint culminated in proceedings brought by the Irish DPA against Facebook. The Irish High Court then referred various issues to the CJEU for a preliminary ruling.

In an Advocate General’s opinion on the case last December – which are largely followed by the ECJ – the AG said SCCs give sufficient protection for EU personal data. However, the AG suggested the possibility that businesses relying on SCCs may need to take a proactive role in evaluating whether there is an “adequate level of protection” for personal data in the importing jurisdiction. Concerns were also raised around the Privacy Shield.

The ECJ has now invalidated the Privacy Shield decision saying the limitations on the protection of personal data arising from US domestic law on the access and use of the transferred data by US public authorities “are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law…”.

It also ruled that its framework does not grant EU individuals actionable rights before the courts against US authorities.

The Information Commissioners Office said it is considering the judgment and its impact on international data transfers, which are vital for the global economy. It said it stands ready “to support UK organisations and will be working with UK Government and international agencies to ensure that global data flows may continue and that people’s personal data is protected”.

The key takeaway for businesses and other organisations that continue to rely on SCCs is that they need to consider whether there is an “adequate level of protection” for the personal data as required by EU law. This will depend, for example, on the nature of that personal data, the purpose of processing and the country of destination.

Where necessary, supplementary measures and additional safeguards may need to be adopted by the controller to ensure compliance with the level of protection required under GDPR.

Finally, where adequate additional measures to guarantee such protection cannot be taken, the controller or processor (or the competent supervisory authority) must suspend or end the transfer of personal data to the third country concerned.

If you would like us to cover an issue in the next NGM Tax Law Newsletter, we would be pleased to hear from you