Privacy Shield has ended. Is there a suitable alternative?

The European Commission Implementing Decision (EU) 2016/1250 of 12 July 2016, pursuant to Directive 95/46/EC of the European Parliament and of the Council, on the adequacy of the protection provided by the EU-U.S. Privacy Shield (the Privacy Shield Decision, or Privacy Shield), is invalid.

In contrast, the Commission Decision 2010/87 of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council, is still valid, since, in the light of the Charter of Fundamental Rights of the EU, it was disclosed "nothing to affect the validity of that decision".

The Court of Justice of the European Union (CJEU) came to these conclusions on 16 July 2020 in its judgment in Case C-311/18, Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems.

In the view of the CJEU, “the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country, which the Commission assessed in the Privacy Shield Decision, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary”[1]. The CJEU further pointed out that, “in respect of certain surveillance programmes, those provisions do not indicate any limitations on the power they confer to implement those programmes, or the existence of guarantees for potentially targeted non-US persons”[2]. The ECJ added that, “although those provisions lay down requirements with which the U.S. authorities must comply when implementing the surveillance programmes in question, the provisions do not grant data subjects actionable rights before the courts against the U.S. authorities”[3].

If you transfer personal data to the United States, it is essential that you review your internal policy on transferring (exporting) personal data as soon as possible. In lieu of the Privacy Shield, standard contractual clauses may now be agreed with the U.S. recipients of these data; binding corporate rules or e.g. an explicit consent of data subjects may also provide an adequate alternative. The European Data Protection Board, however, points out[4] that the answer to the question of whether you can transfer personal data on the basis of standard contractual clauses or binding corporate rules depends on the result of your assessment, taking into account the circumstances of the transfer of personal data to the United States or other third country, and supplementary measures you could put in place. The standard contractual clauses, binding corporate rules, as well as the other supplementary measures, would have to ensure that U.S. law does not impinge on the adequate level of protection the standard contractual clauses, binding corporate rules or other supplementary measures guarantee. If you, however, come to the conclusion that, taking into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards would not be ensured, you are required to suspend or end the transfer of personal data. Be sure to remove any reference to the Privacy Shield in your Data Processing Agreements with U.S. partners. The European Union and United States are expected to eventually agree on an appropriate alternative to the Privacy Shield, which will remedy the shortcomings, but given the current uncertainties regarding transatlantic political and trade relations, it is difficult to predict when this will happen.