The Court of Justice of the European Union (“CJEU“) issued its judgment today in the Schrems II case1 and it is fair to say that it has caused some shock amongst the privacy community and our clients.
First things first: don’t panic!
Data flows will continue, and can continue, for the time being. It will take time for regulators and organisations to reflect on what is a very complicated judgment (misleadingly simple in its headline of “Privacy Shield invalid; Standard Contractual Clauses valid”).
Very briefly the CJEU held that the Standard Contractual Clauses (“SCC“) were not automatically invalid. However, their use did have to be assessed on a case-by-case basis in particular taking into account the “relevant aspects of the legal system of the [relevant recipient] country”. The organisation based in the EU sending data out of the EU under the SCCs is responsible for the assessments and potentially putting into place “supplementary measures” (should there be any issue with that regime). Regulators have to police these assessments.
No doubt regulators will in due course be pronouncing on how to take into account those assessments and what measures may be put in place.
When it comes to Privacy Shield, the position is a little starker. As a result of the lack of proper oversight of the ability of US security and law enforcement agencies in their access to non-US citizen’s data (and the lack of sufficient rights for individuals), it was struck down as “invalid”. Transfers relying on Privacy Shield will now need to find another way of transferring data.
We have been here before; Safe Harbor (Privacy Shield’s predecessor) was struck down by the same court in 2015. Those of us around in privacy back then will recall a hasty repapering of transfers using SCCs. The regulators even gave a “grace period” for companies to do that. We can expect more of the same now.
The European Commission has already said that other mechanisms exist in place of Privacy Shield, including SCCs. The SCCs are in any case being modernised and new versions should be available soon. It can be expected that the Commission will do what it can to deal with the judgement here.
A likely problem though, which will have to be addressed, and to be frank, has been ignored by the Commission in its immediate reaction today, is the difficulty of using SCCs in the US when the CJEU was so critical of the US legal regime when discussing Privacy Shield.
It will take time for…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
