Schrems II: EU Court of Justice declares EU-US Privacy Shield invalid

The Court of Justice of the European Union (CJEU) has today announced its judgement in the Schrems II case. The court has decided that the protection provided by the EU-US Data Protection Shield is not adequate and is therefore no longer a legal instrument for the transfer of personal data from the EU to the US. However, it considers that Standard Contractual Clauses for the transfer of personal data to data controllers and/or processors established in third countries remain valid.

In brief, Maximillian Schrems, an Austrian citizen, lodged a complaint with the Irish DPA that his personal data processed by Facebook in the US was not sufficiently protected by the EU-US Safe Harbor. On 6 October 2015, the CJEU decided in his favour.

In today’s decision, the CJEU has ruled that the EU-US Data Protection Shield (the Safe Harbor’s replacement) is also not legally valid as “that data may be processed by the authorities of the third country in question for the purposes of public security, defence and State security.” In short this means that the “level of protection essentially equivalent to that guaranteed within the EU by the GDPR, read in the light of the [EU] Charter [of Fundamental Rights]” cannot be guaranteed. The decision continues that the “requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country.” In addition, the US “surveillance programmes based on those provisions are not limited to what is strictly necessary.”

The protections for EU citizens in the US are weak because US “provisions do not grant data subjects actionable rights before the courts against the US authorities.”

Finally, the US Ombudsman, intended to help EU citizens make their case, does not have sufficient binding authority over the US intelligence services.