DECISION OF EUROPEAN COURT ON TRANSFER OF PERSONAL DATA TO THE UNITED STATES HAS SIGNIFICANT CONSEQUENCES

On the 23rd July, the European Court of Justice gave its decision on the long-running case involving Maximillian Schrems and Facebook which has significant consequences for businesses who transfer personal data to the United States.

The relationship between the European Union and the United States has been rocky for some years. This latest decision (in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Case C-311/18) EU:C:2020:559) is the most recent development and essentially invalidates the existing arrangement.

The General Data Protection Regulation (GDPR) prohibits the transfer of personal data outside of the EU unless certain conditions are met. In principle, it may take place in any of the following
circumstances:

• Where there is a European Commission adequacy decision
• If there are appropriate safeguards in place, such as standard contractual clauses or Binding Corporate Rules (essentially between linked businesses) but then on the condition that data subjects have enforceable rights and effective legal remedies
• If the data subject expressly consents

Previously there was a “safe harbour” arrangement in place between the EU and the United States. Mr Schrems first challenged the validity of this in 2015, relating to the transfer of his personal data from Facebook in Ireland to Facebook in the USA. He was successful in this challenge, which led in 2016 to the European Commission implementing a new adequacy decision known as the Privacy Shield.

As a result, Mr Schrems re-constituted his complaint to the Irish Data Protection Commissioner on the basis that he claimed that the United States did not offer the appropriate level of protection to personal data. The basis behind this complaint being that the US government was able to access the personal data of EU citizens which was processed in their country and that people had no legal remedy available to them should the US government do so.

Under US law, internet service providers are required to provide information to various government agencies, such as the FBI.

The Irish Data Protection Commissioner therefore referred the matter to its High Court, who in turn referred it to the European Court, whose ruling dealt with a number of questions (and decisions not dealt with here) but crucially determined that the Privacy Shield was invalid.

The main basis for the court’s decision is that the appropriate safeguards, enforceable rights and legal remedies required by the relevant provisions of the GDPR must be reciprocated to an equivalent extent in the US. The court found that they are not.

This decision takes immediate effect.

It is understood that the EU and the US will embark upon further discussions now about how the matter can be addressed but for the present data processing arrangements with the US have been thrown into some turmoil. Some guidance issued by the UK Information Commissioner’s Office suggests that existing arrangements can remain in place which were entered into prior to the decision, but future agreements are subject to the ruling. However, this is likely to be a moving feast.

Should you require any advice or guidance on GDPR, including the implications of the above for your business, please contact Chadwick Lawrence’s Regulatory department.