European Court throws out EU-US data transfer regime (again …)

European Court throws out EU-US data transfer regime (again …)

By Darren Isaacs and Deborah Margolis - 16 July 2020

The Court of Justice of the European Union (the ECJ) has handed down its long-awaited decision in Max Schrems’ latest challenge to EU-US data transfers.

In the latest round of court cases, Schrems brought a complaint against Facebook Ireland for sending his personal data to Facebook in the USA. The complaint first went to the Irish Data Protection Commissioner, then made its way into the Irish court system, and eventually was referred to the ECJ.

The ECJ has decided that:

  • The Privacy Shield mechanism is invalid.
  • Standard Contractual Clauses are still valid but for those transferring personal data outside the EU (including to the USA), individual data exporters and supervisory authorities in each EU country will be required to assess whether the laws in the recipient country (e.g. the USA) are consistent with the rights of EU citizens under the GDPR. Doubts have been expressed that this is the case for the USA, given the ease with which its government agencies can access personal data.

Based on the ECJ’s own conclusion that US law does not provide an adequate level of privacy protection for EU citizens, there is a significant risk of a future challenge to the use of Standard Contractual Clauses (in particular where that data is transferred to the USA). 

This decision will be of interest to all clients who transfer the personal data of EU data subjects, including their employees, to the USA. This includes US-based clients with international operations who:

  • Host HR databases in the US;
  • Access EU HR databases or records from the US; or
  • Host or manage email servers or other systems used by EU based employees from the US.

Businesses who find themselves in this position may need to review their GDPR data-export arrangements, urgently, to assess their level of compliance and likely exposure. The ICO (the UK’s supervisory authority) has published a statement saying that it is considering the impact of the judgment on international data transfers. We are awaiting further guidance.

If you would like to discuss this further, please contact your usual GQ|Littler contact or email Deborah Margolis who is coordinating our client response to this issue.