Following on from a reference by the Irish High Court, the Court of Justice of the European Union (CJEU) delivered a significant ruling on 16 July 2020 regarding the validity of various data transfer mechanisms from the EU to third countries, in particular, the United States.
The GDPR provides that the transfer of personal data from the EU to a third country may take place only if the third country in question ensures an adequate level of data protection equivalent to that guaranteed within the EU by the GDPR read in the light of the Charter of Fundamental Rights.
The CJEU agreed with our client Mr Max Schrems’ submission in two major aspects. The CJEU determined that the EU-US Privacy Shield decision is invalid based on the finding that the Privacy Shield mechanism cannot ensure a level of protection in the US essentially equivalent to that in the EU and it does not afford data subjects any legal remedy or cause of action in the EU before a body which is required by the Charter of Fundamental Rights.
The Standard Contractual Clause Decisions remain valid. However, the competent national supervisory authority is required to suspend or prohibit a transfer of personal data to a third country where those clauses are not or cannot be complied with in that third country and the protection of the data transferred cannot be achieved by other means and where the data exporter or importer has failed to suspend the transfer. The effect of this essentially means that, given the findings of the CJEU in relation to the level of protection afforded to EU citizens data in the US and the lack of an appropriate remedy, it appears that companies like Facebook will not be entitled to rely on Standard Contractual Clauses to transfer data from the EU to the US.
If you would like to discuss the implications that this decision may have on you or your business, please contact Gerard Rudden at gerard.rudden@arqsolicitors.com or by telephone at 01 661 6102.