Invalidation of “Privacy Shield Pact” on Data Transfers Between European Union and the United States

Invalidation of “Privacy Shield Pact” on Data Transfers Between European Union and the United States

I. Introduction  

On July 16th, 2020 Court of Justice of the European Union (“the Court of Justice”) made a decision known as “Schrems II” which strikes down the Privacy Shield Decision Numbered 2016/1250 allowing data  transfers from European Union (“EU”) to the United States.    

The General Data Protection Regulation (“GDPR”) provides that the transfer of such data to a third party may,in principle, take place only if the third country in question ensures an adequate level of protection.  According to the GDPR, the Commission may find that a third country ensures, by reason of its domestic      law or its international commitments, an adequate level of protection.  In the absence of an adequacy decision, such transfer may take place only if the personal data exporter established in the  EU has provided appropriate safeguards, which may arise,  in particular, from standard data protection clauses adopted by the Commission, and if data subjects have enforceable rights and effective legal  remedies. 

II. What is Privacy Shield? Why is it invalidated? 

1. Schrems I Decision – Invalidation of Safe Harbour Pact  

In 2013, Maximillian Schrems,an Austrian national residing in Austria, filed a complaint with the Irish data Protection Commisioner stating that his personal data is transferred by Facebook Ireland to servers  belonging to Facebook Inc. that are located in the United States where it undergoes processing and the US National Security Agency (“NSA”) has access to these data, mentioned transfers must be prohibited.  However, that complaint was rejected on the ground in the Safe Harbour Decision, which finds that the  United States ensured an adequate level of protection.  

Later during the process since Mr. Scherms filed and application in the Irish High Court, the case was taken to the Court of Justice. In 2015  the Court of Justice annuled the Safe Harbour Agreement (“Schrems I Decision”).  

2. Privacy Shield Pact  

Right after Schrems I, European Commission constituted the Privacy Shield mechanism which enables data transfers between the EU and  the United States in 2016, nad all the EU member states were engaged to it.  Privacy Shield was meant to provide;  

  • new safeguards to people including more control over how their information is used;  

  • the right to go to courts in the United States if they thought that a company or the United  States government had misused their data; 

  • a guarantee that the United States government could not collect data without sufficient  cause.  

3. Schrems II Decision: Annulment of Privacy Shield Pact  

Now,  nearly two years after, the Court of Justice declares that the Privacy Shield pact is invalid because of the reasons below:  

  • the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by the United States public authorities of such data transferred from the European Union to that third country are not circumscribed in a way that staisfies requirements that are essentially equivalent to those required under the EU law, by the   principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary. 

  • although those provisions lay down requirements with which the United States authorities must comply when implementing the surveillance programmes in question, the provisions  do not grant data subjects actionable rights before the courts against the United States   authorities. 

  • Additionally the Court of Justice considers; 

  • that the EU law, and in particular the GDPR, applies to the transferof personal data for commercial purposes by an economic operator established in a member state to another economic opertor established in  a third country, even if, at the time of that transfer of  thereafter , that data may be processed by the authorities of the third country in question for the purposes of public security, defence and State security.  

  • this type of data processing by the authorities of a third country cannot preclude such a transfer from the scope of the GDPR regarding the level of protection required. 

  • Briefly, such data transfers must meet GDPR’s high data protection standards.  

III.  Impacts of the Annulment  

The ruling affects thousands of multinational companies that need to transfer any kind of personal data  such as financial records, human resources materials,marketing databases, customer records etc., to  keep business going. The question is how these European resident companies can transfer data to the United States without the Privacy Shield Pact?   

The Court of Justice holds that the data exporter established in the EU and the recipient of the transfer  established in the United States  can keep transferring data by agreeing the “standard contractual clauses” which affords a level of protection essentially equivalent to that guaranteed within the EU by the  GDPR. We may state that these “standard contractual clauses” are almost identical with the  provisions of  the “Undertakings” used for international data transfers from Turkey to abraod. The level of protection will be assessed by taking into account both the security measures taken in the data recipient country, as well as the domestic law regulations of the third party country's (in this case, the United States) access to the transferred data. 

Another method is applying  Binding Corporate Rules which are used for the transfer of personal data abroad for multinational group companies operating in countries where adequate protection is not available and that ensures adequate protection in writing. Group companies resident in both the EU and the United States can transfer data between each other by Binding Corporate Rules method.  

As Turkish data protecton practice is closely watching how GDPR is applied, we expect that the international data transfers at least for a while, will take place by using Undertakings ( the Standard   Contractual Clauses) or the Binding Corporate Rules method requesting the Turkish Data Protection  Board’s (the Board) consent  since the safe country list has not been announced.  

Kindly submitted for your information. Please see the public statement of the Court of Justice here .  
For any questions , please contact us at  and  +90 216 687 03 22.  

Best regards, 

Share This Artcle :