Back in January we reported that Henrik Saugmandsgaard Oe, the advocate general to the Court of Justice of the European Union (CJEU) published his advice to the CJEU in Schrems II.

You will recall that Max Schrems is the Austrian privacy activist whose actions in the courts brought down the EU’s Safe Harbour data regime back in 2015 - and has been taking Facebook and others to task for years over the exporting of data from Europe for processing in the US.

Shrems II has been an attempt to show that the so-called “Privacy Shield” arrangement for EU-U.S. data transfers is merely an update to the previous system and remains unlawful.

The advocate general concluded that the “standard contractual clauses for the transfer of personal data to processors established in third countries is valid”. We noted that while it was a non-binding opinion and not a ruling as such, opinions from the advocate general to the CJEU are typically followed in the majority of cases. 

The CJEU has now delivered its judgment in that case (Schrems II) on 16 July 2020, finding that Standard Contractual Clauses remain valid and that the Privacy Shield is invalid. This essentially makes the movement of personal data from the EU to the US pretty much impossible and any business or organisation that transfers personal data will need to adapt quickly in light of this judgment.

The ICO has released an updated statement saying “The CJEU has confirmed how EU standards of data protection must travel with the data when it goes overseas, which means this judgment has wider implications than just the invalidation of the EU-US Privacy Shield. It is a judgment that confirms the importance of safeguards for personal data transferred out of the UK”.

The CJEU has also further burdened data exporters who wish to make use of SCCs. Anyone exporting data must ensure that “the assessment of the level of protection afforded in the context of such a transfer must, in particular, take into consideration both the contractual clauses agreed between the controller or processor established in the European Union and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the personal data transferred, the relevant aspects of the legal system of that third country”. Additional safeguards, beyond the SCCs, may be required. SCCS, which date back to 2010 and do not reflect the GDPR requirements, were due to be updated and modernized.

In the meantime, organisations should:

Assess what data they transfer out of the EU and on what basis

Keep an eye out for guidance including from the European Data Protection Board and the European Commission.