The GDPR prohibits in principle the transfer of personal data from within the European Economic Area (EEA) to a country outside of the EEA (third country). You are only allowed to transfer personal data to a receiving third country if you have put appropriate safeguards in place, when a derogation to this rule applies or when the European Commission has adopted an adequacy decision on a third country.

The GDPR describes 17 situations in which you are allowed to transfer data outside of the EEA. Click here if you want to learn more about these 17 situations.

The EU-US Privacy Shield Framework was designed by the US Department of Commerce and the European Commission. Its purpose was to provide companies in both the EEA and the United States with a mechanism to comply with data protection requirements when transferring personal data from the EEA to the United States. The Privacy Shield mechanism was designed in support of transatlantic commerce. The Commission has adopted a decision (2016/1250) in which it decided that the level of data protection offered by this framework was adequate for the transfer of personal data from within the EEA to the United States. 

Organisations in the US can certify themselves by submitting a self-certification submission to the US Department of Commerce. To be eligible, organisations need to implement various requirements such as a Privacy Shield-compliant privacy policy. You were allowed to transfer personal data from within the EEA to a receiver in the United States if that receiver had the Privacy Shield certification.

In short, the Court doubted whether the legal system in the United States (US) could offer the same level of data protection that is required by the GDPR and the Charter of Fundamental Rights of the European Union. 

US Surveillance programs

Under US law, US intelligence agencies have the legal possibility to access bulk personal data in transit to the United States with various surveillance programs such as PRISM. These programs are not subject to any judicial review. Instead, they are annually certified by the Attorney General and the Director of National Intelligence. 

Data subjects cannot bring matters related to being subject to these surveillance programs before the court against US intelligence agencies. That means that data subjects do not have any effective and enforceable rights against US intelligence agencies regarding the use of their personal data. 

The Privacy Shield mechanism introduced a Privacy Shield Ombudsman, but this Ombudsman was not actually independent and did not have the power to adopt decisions that are binding on intelligence agencies and on which data subjects can rely. 

The Court's decision

The Court determined that Privacy Shield cannot offer the same level of data protection as what is offered in the EU. First of all, data subjects do not have any effective and enforceable rights against US intelligence agencies that collect their personal data. 

Furthermore, the fact that the personal data can be accessed in bulk means that the scope of the collection of the personal data by US intelligence agencies is not delimited in a sufficiently clear and precise manner. As a result, the collection of that personal data cannot be regarded as what is strictly necessary and therefore does not satisfy the requirements of the principle of proportionality. 

Also, the Privacy Shield Ombudsman did not provide data subjects with any guarantees equivalent to those of the Charter of Fundamental Rights of the European Union, as it was not independent and did not have the power to make binding decisions.

Standard Contractual Clauses remain valid

The Standard Contractual Clauses (SCCs) decisions still remain valid under today's judgement of the Court. This means that, in principle, you can still incorporate SCCs into your data agreements and rely on them as an appropriate safeguard for transferring personal data to a third country. 

Adequate level of data protection must be offered

However, the Court has determined that data subjects must be offered the same level of data protection as the EU does with the GDPR and the Charter of Fundamental Rights of the European Union if you are transferring their personal data to a third country by relying on SCCs.

Both the organisation transferring the personal data from within the EEA and the receiving organisation in the third country must assess the level of data protection that can be offered to the involved data subjects in the third country. In this assessment, not only the incorporated SCCs must be taken into consideration but also any possible access to the transferred personal data by the public authorities of that third country as well as the relevant aspects of the legal system of that third country. 

Assessments should be made when putting any appropriate safeguards in place

As there does not seem to be a logical reason why the Court's reasoning would only apply to SCCs, it is highly likely that organisations must always make this assessment when putting any of the appropriate safeguards in place, such as BCRs. We therefore recommend that you always assess whether the third country that you are transferring personal data to can offer data subjects the same level of data protection as the EU can. You should consider both the safeguards that you are putting into place as well as other circumstances in that third country such as the legal system there.

Standard Contractual Clauses could be suspended or prohibited for certain countries

According to the Court in today's judgement, the competent supervisory authority is required to suspend or prohibit the transfer of personal data to a third country pursuant to standard data protection clauses adopted by the Commission, if in the view of that supervisory authority an adequate level of data protection cannot be offered in that third country. The supervisory authority could come to that conclusion based on their own findings or a data subject's complaint.

The United States might not offer an adequate level of data protection

It is highly likely that an adequate level of data protection cannot be offered to the involved data subjects when relying on SCCs if personal data is transferred to the United States, considering the Court's reasons for declaring the Commission's Privacy Shield adequacy decision invalid. The possible access by the US intelligence and counter-terrorism authorities to the transferred personal data as well as the lack of judicial review that can protect data subjects against the intelligence and counter-terrorism authorities in the US indicates that an adequate level of data protection can never be offered.

Conclusion

You can still incorporate SCCs in your contracts and rely on them as appropriate safeguards. However, you should assess the level of data protection that can be offered to the involved data subjects in the third country that you are planning to transfer personal data to. 

If the level of data protection that can be offered to the involved data subjects in the third country is evidently inadequate, you should not rely on SCCs as an appropriate safeguard in our opinion.