The Schrems II Decision: Is the Privacy Shield Dead?
What is the Privacy Shield?
In July 2016, the EU – U.S. Privacy Shield Framework was adopted by the U.S. Department of Commerce and the European Commission (Commission Decision 2016/1250).
The Framework provides a mechanism for complying with data protection legislation when transferring personal data between the EU and the U.S., to encourage cooperation and transparency in support of transatlantic commerce.
U.S. organisations registered under the Privacy Shield Framework were recognised to provide an adequate level of protection for personal data transferred from the EU to the U.S. organisations.
The decision in Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems (Case C-311/18, “Schrems II) 2020
On 17th July 2020, the Court of Justice of the EU (CJEU) issued a judgment which confirms that U.S. domestic laws act in direct contravention to EU privacy legislation set out in the Charter of Fundamental Rights, by protecting the primacy of U.S national security, public interest and law enforcement over that of the fundamental rights of individuals.
The compliance with federal surveillance laws leaves no remedy available for EU individuals whose data is transferred to the U.S. under the Privacy Shield Framework.
Therefore, the CJEU judgment confirms that the Commission Decision 2016/1250 is invalid due to the lack of protection afforded to individual personal data transferred between organisations by the EU – U.S. Privacy Shield Framework.
What does this mean for the Privacy Shield and transatlantic commerce?
As the Privacy Shield Framework has now been invalidated, negotiations must start for replacement structures to strike the balance between supporting businesses and organisations, and protecting individual’s fundamental rights.
Looking to the future, this seminal judgment may lead to additional burdens being placed upon businesses seeking to transfer personal data outside of the EU.
Specific case by case analysis will be required to assess whether, in the overall context of the transfer, there are appropriate safeguards in the third country to protect the personal data transferred out of the EU.
This will include an assessment of the destination of the data, the potential access to the data by public authorities, and availability of judicial redress for individuals, and consider whether additional safeguards are required.
The full practical implications of the decision are not yet known; however, undoubtedly the judgment will make it more difficult to transfer information to the US and other jurisdictions.
Brexit Negotiations and the Future
From 31st January 2020, the UK ceased to be an EU Member State and is currently in an implementation period until 31st December 2020. Whilst the UK is still treated as a member state for data protection law purposes, guidance is awaited to confirm how this judgment will affect the UK’s position as a third country at the end of the Brexit implementation period.
Invicta Law is able to assist your company with navigating the changing parameters of data protection within transatlantic commerce, both during, and after, the implementation period.
We provide pragmatic solutions for clients, delivering high quality legal advice at competitive rates. Contact us on 03000 411100, email firstname.lastname@example.org or download the team leaflet for more information.
Contents of this article are intended for general information purposes only and shall not be deemed to be, or constitute professional or legal advice. Invicta Law cannot accept responsibility for any loss as a result of acts or omissions taken in respect of this article