On 16 July 2020, the Court of Justice of the European Union, in its judgment in Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems, invalidated one of the prerequisites for the possibility of transferring data for processing to the United States of America – the European Commission's (Commission) decision 2016/1250 on the adequacy of the level of protection for the transmission of data to the US or the so-called “Privacy Shield” based on the US system of self-certification.
Regarding another precondition, namely Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries, the Court stressed in its judgment the obligation of the data exporter and the importer to verify, before the transfer of personal data, whether the level of protection of personal data required by the EU law is respected in the third country concerned.
What could it mean to you:
- Assess whether you are sending personal data for processing in the territory of the United States. The judgment does not apply to transmission and processing of other forms of data.
- If you are sending personal data for processing in the US, for example, storing personal data with a cloud computing service provider that stores the data in the US, check, which condition of the Regulation you fulfilled to transfer the data, e.g., ensured that the contracts contain standard clauses in accordance with Article 46 of the Regulation, or provided that binding corporate rules approved by the supervisory authority are applicable to the processor established in a third country, or relied on Commission Decision 2016/1250 on the adequacy of the protection of the Privacy Shield.
- If you send data for processing in the US for the purpose of performing a contract with a natural person or on the basis of other derogations provided for in Article 49 (1) of the Regulation, the judgment should not affect the transmission of such data.
- If you sent data for processing in the US simply relying on Commission Decision 2016/1250, which has been declared invalid, it is recommended that appropriate safeguards be provided urgently, e.g. ensure that contracts with processors established in third countries include standard clauses in accordance with Article 46 of the Regulation, or re-assess the need to transmit data to the US.
- If you sent or intend to send personal data to the US or other third countries, using the contracts with processors established in third countries with standard contractual clauses in accordance with Commission Decision 2010/87, it is recommended that you assess in a documented manner the adequacy of protection and compliance with the level of protection of personal data under the EU law, e.g., by making sure that the data processor registered in the third country is able to meet the standard contractual clauses.
The full text of the judgment of the ECJ is available here.