Data Protection Commission on the ECJ Privacy Shield Decision

In its judgment of July 16, 2020 (Case C311/18), the European Court of Justice declared the European Commission’s Decision 2016/1250 on the transfer of personal data to the United States (Privacy Shield) invalid. At the same time, the ECJ stated that Commission Decision 2010/87/EC on Standard Contractual Clauses (SCCs) remains valid in principle.

According to the Data Protection Commission, what are the consequences of the ruling for companies in Germany?

1. The transfer of personal data to the USA on the basis of the Privacy Shield is illegal and must be stopped immediately. The ECJ declared the Privacy Shield invalid because the U.S. law assessed by the ECJ does not provide a level of protection substantially equivalent to that in the EU. The U.S. law to which the ECJ referred concerns, for example, intelligence collection powers under Section 702 of FISA and Executive Order 12,333.
2. For a transfer of personal data to the USA and other third countries, the existing standard contractual clauses of the European Commission can in principle continue to be used. However, the ECJ emphasized the responsibility of the controller and the recipient to assess whether the rights of data subjects in the third country enjoy an equivalent level of protection as in the Union. Only then can it be decided whether the guarantees from the standard contractual clauses can be realized in practice. If this is not the case, consideration should be given to what additional measures can be taken to ensure a level of protection substantially equivalent to that in the EU. However, the law of the third country may not interfere with these additional safeguards in such a way as to frustrate their actual effect. According to the ECJ ruling, standard contractual clauses without additional measures are generally not sufficient for data transfers to the USA.
3. The judgement’s assessments also apply to other safeguards under Article 46 GDPR, such as binding corporate rules (“BCRs”), on the basis of which a transfer of personal data to the U.S. and other third countries takes place. Therefore, complementary measures must also be agreed for data transfers based on BCRs, unless the rights of data subjects in the third country enjoy an equivalent level of protection as in the Union. These measures must also be able to guarantee a level of data protection for the transferred data that is essentially equivalent to that in the EU.
4. The transfer of personal data from the EU to the USA and other third countries pursuant to Article 49 GDPR continues to be permitted, provided that the conditions of Article 49 GDPR are met in the individual case. The European Data Protection Board has published guidelines on the application and interpretation of this provision.
5. Controllers who wish to continue transferring personal data to the U.S. or other third countries must immediately verify that they can do so under the above conditions. The ECJ has not granted a transitional or grace period.