European Court Strikes Another Blow at Transatlantic Personal Data Flows

European Court Strikes Another Blow at Transatlantic Personal Data Flows

Europe’s top court has invalidated the EU-US Privacy Shield, wiping away a system set up to ensure companies could transfer personal data from the EU to the US while protecting the personal data of EU citizens in line with the GDPR and EU Charter of Fundamental Rights.

The Court’s ruling addresses two data transfer mechanisms, the Privacy Shield and the use of Standard Contractual Clauses for international data transfers. While much of the initial reaction has focused on the invalidation of the Privacy Shield, the Court’s judgment creates additional complexity for the use of Standard Contractual Clauses (SCCs) to transfer personal data from the EU to third countries and opens the door for aggressive enforcement by national regulators.

On the EU-US Privacy Shield, the Court of Justice of the European Union (CJEU) pointed to two key flaws in the framework which meant that EU citizens did not benefit from an equivalent level of data protection in the United States and EU, in line with the requirements of the GDPR. The Court noted that the provisions of the Privacy Shield allowed for disproportionate and unlimited breaches of the fundamental rights of EU citizens and did not confer EU citizens with rights which were enforceable against US authorities in court. While this conclusion is not surprising, it establishes a high bar for the US and EU to overcome if they want to create a successor system to the Privacy Shield. At first glance, it appears that any replacement would require a change in US legislation which permits personal data gathering and surveillance or a change in the surveillance activities of the US government and its agencies, excluding the data of EU citizens from surveillance and doing so in a way which would satisfy a court.

On Standard Contractual Clauses, which were the actual subject of the court case, the CJEU found that they are a valid mechanism to transfer personal data to non-EU countries, however companies and organisations using SCCs need to ensure that they comply with EU data protection law, taking into account how they use the SCCs and the local law and practices of the country to which they are transferring data. National data protection authorities have been empowered by the judgment to assess whether an individual company’s use of SCCs protects the privacy of EU citizens and to suspend of prohibit transfers where they determine that this is not the case.

This part of the judgment potentially opens the door to aggressive enforcement of the GDPR by data protection authorities at a national level and the possibility of test cases being taken against certain companies with the data protection authority then prohibiting the use of SCCs by any organization to transfer personal data to a certain third country. The GDPR has mechanisms in place for national data protection authorities to co-operate on issues which are likely to have a cross-border impact and banning the use of SCCs to transfer data to a third country certainly seems to fall into this bracket. However, national data protection authorities frequently disagree on the application and enforcement of the GDPR, especially in cross-border cases where some regulators are perceived as being slow or unwilling to act. This means that individual data protection authorities may feel the need to act quickly to prevent the privacy rights of their citizens being violated overseas.

Image:Business photo created by freepik – www.freepik.com

Related Articles

Access Alert: Enhancing Efficiency in India’s Logistics Through AI and Digital Integration

Access Alert: Enhancing Efficiency in India’s Logistics Through AI and Digital Integration

A recent panel discussion at the Bengaluru Tech Summit 2024 on 20 November 2024 focused on the transformative role of...

29 Nov 2024 Opinion
Access Alert: How Will Deepfake Regulations in APAC Impact Your Business?

Access Alert: How Will Deepfake Regulations in APAC Impact Your Business?

The rise of deepfakes – AI-generated content that manipulates audio, video, or images to create realistic but false representations –...

29 Nov 2024 Opinion
Access Alert: UK Government Announces £3.5M Funding Opportunity for Satellite Connectivity Projects

Access Alert: UK Government Announces £3.5M Funding Opportunity for Satellite Connectivity Projects

Introduction The UK Space Agency (UKSA) has launched a funding call of up to £3.5 million aimed at advancing satellite...

28 Nov 2024 Opinion
What’s next for AI global governance?

What’s next for AI global governance?

The recent AI Policy Lab webinar, AI Global Governance: Harmonisation or Fragmentation?, hosted by Ali Azeem, Access Partnership’s Global Head...

26 Nov 2024 Opinion