On July 16, 2020, the Court of Justice of the European Union announced its decision to invalidate the EU-US Privacy Shield program, a tool that allows companies to transfer personal data from the European Union to the US in compliance with EU law. In the same decision, the court upheld the validity of standard contractual clauses (SCC) as a means to legally transfer personal data outside of the Union, but raised numerous questions about their use in practice.
With respect to Privacy Shield, the court determined that the Privacy Shield framework failed to provide “adequate” protection to EU data subjects, in violation of the EU’s General Data Protection Regulation (GDPR). According to the court, the access of personal data by US public authorities pursuant to certain intelligence gathering programs went beyond the threshold of what was permissible under GDPR. The court acknowledged the provisions in Privacy Shield that specify requirements that US authorities should follow, but found that the lack of provisions granting consumers an actionable right in court against US authorities was problematic, and ensured that protections in the US would be inadequate under EU law.
In contrast, the court declined to invalidate the standard contractual clauses, despite the fact that they do not bind public authorities. Instead, the court reasoned that they obligate the data exporter and data importer to determine, in any given circumstance, whether adequate protections exist in the destination country prior to the transfer of data. In other words, using SCCs in the context of transfers to countries that have adequate protections should continue to be acceptable, but the SCCs may not suffice when the third country’s data protections are otherwise inadequate.