This month, in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, the Court of Justice of the European Union invalidated a 2016 decision on the adequacy of the EU-US Data Protection Shield. See the judgment posted here.
The ruling means that companies transferring data to the United States may be fined under the GDPR, since American measures to protect the privacy of personal data are inadequate.
In 2015, the Court had ruled that the United States did not provide an adequate level of protection for the personal data of Maximillian Schrems. Facebook transferred Schrems' data to servers located in the United States. Schrems re-filed his complaint, and sought to suspend future transfers of his personal data by Facebook Ireland to the United States. These are the key points of its July 2020 decision:
1. Data processing by a third country for national defense and public safety falls within the scope of the GDPR.
2. Personal data transferred to a third country must be subject to the same level of protection guaranteed in the EU under the GDPR.
3. Assessments of the level of protection should take into account the contract entered into by the EU data exporter and access to the data by the public authorities of the third country.
4. Supervisory authorities must prohibit the transfer of personal data to a third country where the standard data protection clauses cannot be complied with, and the personal data cannot be protected by other means.
5. The Court did not invalidate its prior decision, 2010/87, that requires a data exporter and the data recipient to verify that the level of protection is adequate prior to the transfer and to terminate a contract if the protection is found to be inadequate.
6. "The limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities . . . are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary."
7. In reaching its conclusion, the Court stressed the importance of the fact that data subject would not have a cause of action before a court that could provide the level of protection required by EU law by issuing a decision binding on United States intelligence services.