It is well known that one of aims of the European General Data Protection Regulation (the “GDPR”) is to facilitate the free movement of personal data within the Union, alongside its goal to protect personal data. The GDPR also allows the transfer of personal data to a third country that is able to ensure an adequate level of data protection.
The first solution offered by the GDPR to make this possible is for the EU Commission to find that a third country ensures, by reason of its domestic law or its international commitments, an adequate level of protection. In this case the Commission adopts an adequacy decision that permits the transfer of data – obviously, if justified under the law – to that third country, as if that country was a member of the EU (this is the case with New Zealand, for example).
In the absence of an adequacy decision, such transfers may take place only if the data exporter in the EU has provided appropriate safeguards and if data subjects have enforceable rights and effective legal remedies. One of the “appropriate safeguards” are the standard data protection clauses adopted by the Commission (under Decision 2010/87) that the data exporter and data recipient have to adopt and comply with.
Under the European privacy system prior to the GDPR, which had a similar authorization formality, the Commission adopted the Decision 2000/5205 (the “Safe Harbour Decision”) in which it found that the United States ensured an adequate level of data protection.
But in a judgment delivered on October 6th 2015, the European Court of Justice declared that Decision invalid.
After that invalidation, the Commission adopted a new Decision, the 2016/1250, on the adequacy of the protection provided by the EU-US Privacy Shield (the “Privacy Shield Decision”).
Under the Case C-311/18, the European Court of Justice had to determine the adequacy of the standard data protection clauses in the light of the Charter of Fundamental Rights and also of the Privacy Shield Decision.
In particular, the problem concerned the guarantees offered by the US legal system in case a public authority decided to access the data transferred from the EU.
The Court found that nothing affects the validity of the Decision containing the data protection clauses. However, the Court declared the Privacy Shield Decision invalid.
Concerning Decision 2010/87, the Court considered that its validity is not called into question because the standard data protection clauses in that decision do not (since they are contractual in nature) bind the authorities of the third country to which data may be transferred.
Moreover, that Decision imposes an obligation on the data exporter and recipient to verify, prior to any transfer, whether the third country has an adequate level of data protection. The same Decision also requires the data recipient to inform the data exporter of any inability to comply with the standard data protection clauses.
So each party is able to decide if it is necessary to suspend the transfer of data and/or to terminate the contract. On the other hand, considering the validity of the Decision 2016/1250, the Court noted that in the US, the requirements of US national security, public interest and law enforcement have primacy.
In the view of the Court, the limitations on the protection of personal data arising from the domestic law of the United States as a result of the access and use by US public authorities of such data transferred from the European Union are not circumscribed in a way that satisfies requirements essentially equivalent to those under EU law.
The Court also added that data subjects are not sufficiently guaranteed actionable rights before the courts against the US authorities.
On all those grounds, the Court declared the Privacy Shield Decision invalid.
Following the decision came the official declaration adopted by the European Data Protection Board, comprised of the National Privacy Authorities from every EU Country, on July 17th 2020 during its 34th plenary session.
In this document the Board commits itself “to continue playing a constructive part in securing a transatlantic transfer of personal data that benefits EEA citizens and organisations and stands ready to provide the European Commission with assistance and guidance to help it build, together with the U.S., a new framework that fully complies with EU data protection law”. All that remains now is to continue following the developments on the possibility of a new EU-US framework.
Avv. Francesco Mambrini
Attorney at law – ICCNZ Member
