23 July 2020 – By judgement of 16 July 2020, the Court of Justice of the European Union (CJEU) declares that the European Commission’s Decision of 12 July 2016, finding that under the EU-US Privacy Shield Framework the USA ensures an adequate level of protection of the personal data transferred, is invalid (Judgement C-311/18).

Under the EU’s General Data Protection Regulation (GDPR), data controllers and data processors may transfer personal data outside of the EU only in certain limited circumstances. In particular, the transfer of personal data to countries that the European Commission deems not to provide an adequate level of data protection requires (in most cases) specific safeguards. On the other hand, where the European Commission decides that the destination country offers an adequate level of data protection, there is no mandatory requirement for specific safeguards.

In this respect, the European Commission considered that personal data transfers from the EU to the USA benefitted from an adequate level of protection, provided that the US-based data recipient was certified under the EU-US Privacy Shield. Indeed, prior to its invalidation, this framework allowed US-based entities to certify under the EU-US Privacy Shield, thereby offering an equivalent level of data protection to that afforded under the GDPR (see our news 13.07.2016). A closely matching framework, the Swiss-US Privacy Shield exists and was designed to offer the same results for Switzerland-to-USA transfers of personal data (see our news of 12 April 2017).

The Privacy Shield Framework comes as a consequence of the CJEU’s invalidation of the EU-US Safe Harbor framework (see our news of 7 October 2015). By ricochet, the Swiss-US Safe Harbor also came to an end (see our news 22 October 2015).

In Judgement C-311/18, the CJEU found again that the protection of personal data under the EU-US Privacy Shield does not meet the standards required under EU law. This is in particular the result of the CJEU’s findings that EU residents (non-USA nationals) do not have sufficient legal remedies in cases of data processing under US national security programs.

The CJEU however ruled that the so-called “Standard Contractual Clauses” (SCCs), which are safeguards under the GDPR for personal data transfers to jurisdictions that do not offer an adequate level of data protection, remained valid. However and more importantly, the CJEU considers it is the data exporting party’s responsibility to verify beforehand whether the level of protection required by the GDPR is met in the third country with respect to which personal data is transferred using the SCCs and if the use of SCCs offers sufficiently strong protection. This means that while SCCs provide a viable alternative to continue data transfers, they are not necessarily sufficient and require a case-by-case assessment; they may indeed require additional contractual guarantees in order to offer sufficient data protection.

The situation in Switzerland is uncertain at the time of writing. The Swiss-US Privacy Shield remains formally valid and in effect. The Federal Data Protection and Information Commissioner (FDPIC) is however reviewing the situation in light of the CJEU’s judgement and it is likely that the Swiss-US Privacy Shield will also fall in the near future. Swiss businesses are therefore strongly advised to identify any categories of personal data which they transfer from Switzerland to US-based entities solely relying on such US-based entities’ Swiss-US Privacy Shield certification. For such transfers, specific safeguards such as the SCCs (the EU’s SCCs, possibly adapted to Swiss law) must be implemented, unless an exception applies. That said, in the light of the CJEU’s decision, Swiss businesses switching to the use of SCCs or already using SCCs for transfers of personal data to jurisdictions not offering an adequate level of data protection for the personal data being transferred should in any case reassess the use of the SCCs and, if necessary, supplement them with additional contractual guarantees. Moreover, businesses should closely monitor new developments.

Further news will be published on www.dataprotection.ch on this topic, as soon as the FDPIC releases information about the outcome of his review.