Back to article list

Privacy Shield invalidated; standard contractual clauses remain valid

The Court of Justice of the EU (CJEU) invalidated the Privacy Shield, based on which it was possible to transfer personal data to the USA, and left standard contractual clauses in effect with certain exceptions. The question is whether personal data transfers performed to third countries based on these clauses will prove themselves in practice.

Maximillian Schrems’ previous complaint regarding the processing of his personal data by Facebook resulted in the invalidation of the Safe Harbour concept. His current complaint led to the examination of a subsequent tool based on which personal data were transferred to the USA, i.e. the Privacy Shield programme, and of the validity of personal data transfers on the grounds of standard contractual clauses.

According to the CJEU, the US legislation regulating the access to and use of personal data transferred from the EU to the USA fails to provide adequate protection, which should in principle be equivalent to the protection embodied in EU legislation. The Privacy Shield may therefore no longer be used. The option to use standard contractual clauses for transferring personal data to processors seated in third countries remains (theoretically) in effect. However, as the CJEU pointed out, their use requires the fulfilment of certain duties by the personal data exporters and recipients. These must make sufficiently sure in advance that an adequate level of protection will be adhered to in the relevant country. Moreover, if the recipient is unable to ensure the adherence to standard contractual clauses, they must immediately inform the exporter who must immediately suspend any personal data transfer.

Considering the reservations the CJEU has expressed as regards the handling of personal data by US authorities, the question remains whether standard contractual clauses may actually be used in relation to the USA. For example, the Berlin Commissioner for Data Protection has already made it clear that data controllers should avoid personal data transfers to the USA and prefer entirely European solutions. 

To use standard contractual clauses, it is always necessary to thoroughly analyse the law of the state receiving the personal data and to carefully assess each particular case. It can also be expected that their wording will be revised by the European Commission in the future.