Following the decision by the Court of Justice of the European Union (the "CJEU") on 16 July 2020 invalidating Privacy Shield and imposing potential constraints on the use of Standard Contractual Clauses ("SCCs") (more information on the decision itself can be read here), we are starting to see data protection authorities and other bodies across the EU, and globally, publicly discussing and commenting on the decision
To provide an understanding of how the decision has been received generally, we have compiled a list, accessible here, of the statements and responses released to date, along with a brief overview below. It is still early days with respect to responses and recommended actions from regulators. However, we continue to monitor developments and will update the list and overview as new responses and recommended actions are released.
Many of the responses to date do not add much colour to the decision of the CJEU, with most authorities yet to provide any guidance on the practical application of the decision. The responses so far can be categorised as follows:
- Acknowledgment of the decision and confirmation that the authority is in the process of considering its implications;
- Restating the decision and warning as to the risks of non-compliance, including with respect to using the SCCs;
- Restating the decision and affirming that transfers to the U.S. are now unlawful; and
- No response.
It is clear, in the first instance, that there is no general consensus in the responses from the data protection authorities. This does not accord with the cooperative and unified approach expected by the GDPR.
Most of the European responses restate the decision and confirm that the SCCs remain a lawful mechanism for transferring personal data, including to the United States, subject to ensuring there is an “adequate level of protection” for personal data in the importing jurisdiction in accordance with the CJEU’s decision. That said, there is little detail or guidance regarding how exporters actually apply that standard in practice, with some commentators arguing that U.S. transfers can never meet the required level of protection, given the possibility of U.S. governmental surveillance under its national security authorities.
Certain of the responses similarly question whether transfers should be made to the United States at all, even if the SCCs are implemented, with one going as far as to state, categorically, that transfers of personal data to the U.S. are currently not possible, as U.S. laws do not provide an adequate level of protection. It’s notable that these stricter stances have been taken by German state authorities (albeit not in consensus with one another). Further guidance and clarity will hopefully follow in the coming days and weeks.
Another common thread in the current European responses is to reaffirm that Privacy Shield is no longer a valid mechanism for transferring personal data outside of the relevant authority’s jurisdiction. The U.K.’s ICO has gone against the grain here and stated that organisations currently using Privacy Shield can continue to do so until new guidance becomes available. This aligns with the U.S. Department of Commerce’s position, which has also confirmed it will continue to administer the Privacy Shield program and even continue processing applications. Given the looming end of the Brexit transition period, this may be an indication of things to come with respect to transferring U.K. personal data to the United States, but, again, we await further guidance.
From those responses which provide more than an acknowledgment of the decision, one message is clear across the board: compliance with the law in respect to international transfers is, in the eyes of regulators and other public authorities, still of vital importance, and the protection of the rights of individuals remains the paramount consideration.
The full list of responses from data protection authorities and other bodies can be seen here.