Today the Court of Justice of the European Union (CJEU) issued its decision concerning in particular the two key tools for the administrators of personal data and for their transfer abroad to countries outside EU – these are the standard contractual clauses and the so-called Privacy Shield (i.e. the Decision of the Commission allowing for the transfer of personal data from the EU to US under the EU-US shield).
Firstly, the CJEU confirmed that the decision of the European Commission, by which the standard contractual clauses are stipulated (which are used in contractual relationships between the administrators of personal data and administrators and processors from countries outside the EU) is valid. In other words, usage of these standard contractual clauses is one of the key elements of ensuring sufficient framework of personal data processing for their transfer to countries outside the EU. However, the CJEU at this point stressed out that conclusion of these contractual clauses alone does not provide for the level of protection essentially equivalent to that guaranteed in the EU. The circumstances standing outside the willpower of the contractual party of the clauses, for example legal system of respective country and the access of the state bodies or offices to these transferred personal data from EU, must be taken into consideration. According to the CJEU it is the obligation of the administrator and the receiving person to verify, prior to the transfer of the personal data, whether the level of protection is comparable to the one guaranteed by the EU and at the same time the receiving person shall notify the administrator about any amendment to the legal regulations, which would prevent securing the level of protection comparable to EU and to stop the transfer of the personal data.
The second assessed tool for the protection of personal data was the decision of Commission about the so-called “Privacy Shield”, which was intended to secure that the protection standard used in the EU also applies in the USA. However, the CJEU declared this decision invalid.
The basis of this decision was a complaint filed by Mr. Schrems with the Irish data protection office against Facebook Ireland Ltd., which transferred the personal data of Mr. Schrems to Facebook Inc., seated in the USA. It is interesting that the predecessor of the “Privacy Shield”, i.e. the previous agreement between the USA and EU on protection of personal data, so called “Safe Harbour” was also declared invalid on the basis of the complaint of Mr. Schrems regarding transfer and especially storage of personal data by Facebook Ireland Ltd. on servers located in the USA (it is the CJEU decision dated October 6, 2015, file No. C-362/14).
In today’s decision the CJEU expressed its doubts on whether the USA provides the personal data protection comparable to the EU, especially due to the fact that the USA reserved the right to access these transferred personal data by state bodies and institutions to the extent necessary for protection of the interests of the USA. At the same time the CJEU specified that the USA neither has any law nor other legal regulation on personal data protection, whereas there are no safeguards and securities for the personal data subjects, which would limit the access of the state bodies and institutions of the USA to the personal data transferred from the EU. For example, the impossibility of judicial review of processing of subjects’ personal data in the USA, impossibility of the personal data subject to exercise its rights specified in the GDPR, non-existence of reasons and the extent of the personal data processing by surveillance programs of the intelligence bodies of the USA, ombudsperson established under the Privacy Shield is not independent since he is a member of the government administration of the USA and elected and recalled by the Secretary of State of the USA.
From the above decision we presume that the transfer of the personal data to the USA should not be possible at this moment, not even under the standard contractual clauses, because in the opinion of the CJEU, the USA do not ensure the level of protection comparable to the EU. However, due to the fact that the personal data from the EU flow to the USA constantly (also due to global groups of companies having their controlling company or headquarters in the USA), the topic of transfer of personal data to the USA will be intensively debated in upcoming days.