Once again, the European Union Court of Justice finds that the US does not offer an adequate level of protection to the data subjects that would allow transfers from Europe to that country. This decision may have a significant impact on transatlantic trade relations
On 6 October 2015, in the famous Schrems ruling, the European Court of Justice declared Commission Decision 2000/520/EC of 20 July 2000 (Safe Harbour), which allowed the transfer of personal data from the EU to US companies that were signatories of the principles of that decision, invalid.
This and other adequacy decisions are based on the premise that the country benefiting from this decision offers an adequate level of protection to data subjects, if not equal, at least close to that offered within the EU.
After the Schrems ruling, negotiations soon began to approve a decision to replace Safe Harbour, but with a higher level of protection – now with the new General Data Protection Regulation as the background.
Thus, the Commission’s (EU) decision 2016/1250 of 12 July 2016 implemented Privacy Shield as an appropriate protection mechanism through which European entities could transfer personal data to companies that had joined the mechanism.
This adherence is made through the demonstration of a set of evidences by the companies and the adoption by them of self-monitoring and compliance procedures. By being part of this mechanism, US companies benefited from something similar to a quality stamp with regard to the protection of personal data from Europe.
The Schrems II ruling
This ruling has once again pointed to the shortcomings in US legislation and practices that are harmful to the data subjects whose data is transferred there. In particular, the Court highlighted the lack of guarantees offered by US public bodies in their procedures for collecting information about citizens.
In addition, the European Data Protection Board had already drawn attention in its annual report on Privacy Shield (January 2019) to several points in the mechanism still to be corrected, particularly with respect to data processing by US public entities.
Transfers of personal data to US territory are, in principle, prohibited. However, a number of legal instruments remain beyond the adequacy decisions to ensure that the flow of data to the US can be maintained.
The first relates to the standard contractual clauses to be contained in a contract between the European entity wishing to transfer the data and the US entity wishing to receive them. This will be the mechanism that more entities are expected to use, although it will significantly increase the bureaucracy in the procedures.
Another similar mechanism will be the intra-group agreement, which is more suited to multinational entities wishing to transfer data to the parent or subsidiary located in the US.
There are still legal exceptions to this prohibition, such as the holder’s agreement to the transfer or the overriding need for the transfer to fulfil a legal or contractual obligation.
Bearing in mind that the US is the EU’s main trading partner, it is easy to understand that this Decision is of concern to those responsible for entities on both sides of the Atlantic. For this reason, a new adequacy decision is expected in the near future to streamline data transfer procedures.
Thanks for being in that side.