Escudo de Privacidad

This post is also available in: Español

Today, the Court of Justice of the European Union (the “CJEU“) issued its long-awaited judgment by the Court’s Grand Chamber in Case C-311/18 Data Protection Commissioner/Maximillian Schrems and Facebook Ireland (the “Schrems II Judgment“) assessing the conformity of the Standard Contractual Clauses (the “Standard Contractual Clauses” or “SCCs“) in Decision 2010/87 to the General Data Protection Regulation (the “GDPR“) which has struck down the EU-US Privacy Shield adopted by the European Commission in its Decision 2016/1250 (the “Privacy Shield Decision“).

The Schrems II Judgment specifically addressed the validity of the SCCs and concluded that they do indeed afford safeguards for transfers of personal data to data processors in third countries. The CJEU has held SCCs, in general, to be a valid instrument for transferring personal data to third countries or international organizations.

However, to ascertain whether they provide suitable safeguards for considering that there is an adequate level of protection for processing personal data in third countries, the CJEU has ruled that, in addition to implementing the SCCs, law enforcement regulations in the country in question need to be assessed. Where all of the safeguards established in the SCCs cannot be implemented because of conflicting law enforcement regulations in the country, the data controller or the competent personal data protection authority must suspend transfers of personal data to the country concerned.

Just to recap, the Privacy Shield was set up in 2016, precisely as a result of the CJEU’s ruling of October 6, 2015 invalidating Decision 2000/520 (the “Safe Harbor” Decision). The Privacy Shield put in place a series of safeguards for transfers of personal data to companies based in the United States of America that adhered to that mechanism.

The Schrems II Judgment has now held that limitations on the protection of personal data arising from domestic US law, particularly as concerns potential access to and use of the personal data transferred from the European Union by the US authorities, mean that the United States cannot be regarded as a jurisdiction with a level of protection equivalent to that in the European Union. As a consequence, the CJEU has ruled the Privacy Shield to be invalid.

This extremely important ruling means that the Privacy Shield no longer provides a lawful basis for data transfers to the United States under the GDPR and, hence, that adequacy must be based on the safeguards laid down in article 46 GDPR. We are now waiting to see the reactions from European authorities and the Spanish Data Protection Agency to consider the various alternatives that will allow this kind of data transfers in compliance with the GDPR.

Authors: Pedro Méndez de Vigo and Jorge Monclús

This post is also available in: Español



57 artículos

Jorge Monclús


37 artículos