Court of Justice of the European Union landmark ruling on the transfer of ‘personal’ data out of the EU will impact every business
In July, the CJEU gave judgment in the case known as Schrems II, a landmark data protection case about how companies can lawfully transfer personal data around the world. Most businesses transfer personal data around the world as part of their everyday activities – perhaps to a back office payroll centre in India or to an AWS server in the US or to a Salesforce CRM. Now, the legality of these transfers has been challenged and privacy activists are adamant the ruling is followed through in practice. They have indicated that group litigation and the filing of further regulatory complaints will be on the horizon if organisations fail to take the judgment seriously.
The case centred on the transfer of personal data from within the EU to outside of this bloc. As a general rule, EU data protection law prohibits the transfer of personal data outside of the bloc unless certain safeguarding mechanisms are in place. The case called these mechanisms into question. The recent decision will affect companies registered within the EU. In addition, businesses outside of the EU that hold personal data concerning citizens who are within it will be impacted too. The judgment will also continue to affect UK businesses even after the end of the UK’s Brexit transition phase.
In short, the CJEU has:
- Invalidated the EU/US Privacy Shield scheme. Privacy Shield was a voluntary scheme that US organisations could participate in which allowed EU organisations to lawfully send personal data to the US. The European court has now invalidated this scheme because it believes that US national security surveillance powers are excessive and do not meet the requirements of EU law. Many US service providers (Microsoft, Salesforce, WorkDay, etc.) participated in the scheme so that their EU customers could transfers data to them.
- Declared that ‘Standard Contractual Clauses’ (which are standard contracts approved by the European Commission for data transfers between countries in the EU and countries outside it) remain valid BUT the parties to the SCCs must verify on a “case-by-case basis” whether the laws of the country receiving the data afford compliance with EU law, in particular in relation to access to personal data by government authorities. This could be a very time-consuming and expensive exercise.
For detailed analysis on Schrems II, refer to Norton Rose Fulbright's Data Protection Report blog or click here.
For more information on the judgment, please click here to watch our recent webinar.