The United States does not provide adequate protection for personal data transferred from the European Union. This was determined by the European Court of Justice on 16 July 2020. The Court has declared the Privacy Shield invalid. Transfers of personal data on the basis of the standard contractual clauses are, however, valid.
EU-US Privacy Shield
The General Data Protection Regulation (GDPR) states that the transfer of personal data to a third country can, in principle, only take place if the third country ensures an adequate level of protection.
If a country outside the EU ensures an adequate level of data protection in national law, the European Commission (EC) can adopt a so called ‘adequacy decision’.
The EU-US Privacy Shield is an example of such an adequacy decision. The Privacy Shield is a regulation for the transfer of personal data from the EU to the US. The purpose of the Privacy Shield is to provide a level of protection that is essentially equivalent to that guaranteed within the EU by the GDPR.
The Court assessed the validity of the Privacy Shield against the requirements of the AVG. The Court noted that the Privacy Shield enshrines the position that the requirements of US national security, public interest and law enforcement have primacy. As a result, the privacy of EU citizens is at stake.
The Court refers to an internal regulation under which U.S. public authorities have access to personal data without being ‘limited to what is strictly necessary’. It also fails to give EU citizens ‘enforceable rights in court against the US authorities’. Thus, EU citizens cannot take action against an invasion of their privacy.
Standard contractual clauses
In the absence of an adequacy decision, there must be another appropriate safeguard if an organization wishes to transfer personal data to a country outside the EU. This can be achieved by means of standard contractual clauses adopted by the European Commission.
The validity of standard contractual clauses has also been examined by the Court. The Court acknowledges that the standard contractual clauses are not binding on the authorities of the third country to which personal data may be transferred due to their contractual nature. However, this does not affect the validity of the standard contractual clauses. The determining factor is whether the standard clauses sufficiently guarantee the privacy of EU citizens. In addition, it should be possible to suspend or prohibit the transfer of personal data on the basis of the standard contractual clauses if they are violated or cannot be complied with. The Court ruled that the standard contractual clauses offer such safeguards.
The standard contractual clauses contain an obligation for the data exporter and receiving party to assess in advance whether the level of protection is respected in the third country. The recipient is obliged to inform the data exporter if he would be unable to comply with the standard contractual clauses. In this case, the data exporter must suspend the transfer of personal data and/or terminate the agreement with the recipient.
Now that the Privacy Shield has been declared invalid, companies can no longer transfer personal data to the US. This has major consequences for both European and US companies.
The standard contractual clauses are a possible alternative for the transfer of personal data from the EU to a third country. However, the question is whether these standard clauses can always be used. As explained above, the standard contractual clauses contain an obligation for both the data exporter and the recipient to assess in advance whether the required EU level of data protection is respected in the third country. This level of protection does not seem to be guaranteed in the US.