KEY TAKEAWAYS

SCCs remain valid; and the transfers will have to be evaluated on a case to case basis by the DPAs, bringing in what is being referred to as Transfer Impact Assessment ;

EU – US Privacy Shield (which came in after Safe Harbor) is no longer valid, and businesses which placed exclusive reliance on this framework, will have to look elsewhere, maybe into SCCs and Binding Corporate Rules (BCRs).

There have been discussions around how this decision highlights and stresses on how the rights of the European citizens to data protection is absolutely fundamental. With references to the General Data Protection Regulation (GDPR), the judgment clearly necessitates appropriate safeguards in the stead of adequacy decision or Privacy Shield framework.

While there was a framework for certification afforded to institutions under the Privacy Shield framework, the list once housed the infamously notorious Cambridge Analytica. It is worth considering that apart from the state surveillance, issues like the ones involving Cambridge Analytica, did cause a lot of discomfort to the EU citizens.

The business between the transatlantic geographies, is estimated to be upwards of USD 7.1 trillion, and a major chunk involves data flows in large volumes. The ongoing Covid-19 crisis, and this setback is bound to impact the 5000+ companies which are listed as part of the Privacy Shield framework. However, larger entities typically rely on a broader compliance regime, and already have SCCs and/ or BCRs in place, in addition to the Privacy Shield framework, which might help with the cause of business continuity to an extent.

It is important to note that the Court specifies that the assessment of that level of protection must take into consideration both the contractual clauses agreed between the data exporter established in the EU and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the data transferred, the relevant aspects of the legal system of that third country. Should there be a creeping suspicion in respect of the data becoming subject to public security, defense and state security, such processing will not be precluded from the scope and applicability of the GDPR. In the event where the SCCs are in place between the exporter in the EU and the importer in the US; however, such transfer is subject to monitoring laws , there will be a consideration of such transfer by the DPA.

The CJEU reiterated its appreciation for the essential difference between the EU privacy laws and the US surveillance laws; as the EU does not intend to compromise on the rights and liberties granted to its citizenry, it is for the US to amend its surveillance laws to ensure continued and expansive scope of business within the EU market. The CJEU did not appreciate the degree of interference with the fundamental rights of persons whose data are transferred to that third country. Further, the court did not provide for any grace period, prior to reassessment of the legal basis for transfer to the US. It is now illegal to transfer data to a US data importer adherent to the Privacy Shield, alone.

The CJEU effectively, ensured that irrespective of the framework, which is being relied upon for the transfer, the recipient nation must afford the same level of protection that is afforded to the EU citizens in respect of their data. This requirement for equivalence, is a must for businesses to effectively and freely transfer data overseas.

It goes without saying that other jurisdictions, including India, will also now come under strict revision owing to the strong state surveillance powers. The ruling will only egg the regulators on towards clamping down on the overseas transfers with greater rigor and fervor. Incidentally, owing to Brexit, the implications on UK will also have to be considered equally well, for the Investigative Powers Act, 2016, will also have to be revisited in view of this.

An interesting outcome of this could also be the beckoning of data localization for the EU forces. For some time now several jurisdictions are harping over the concepts of data sovereignty, data localization, and likewise. Now, with the CJEU’s ruling, the entities might not be entirely opposed to ensuring sustainability within the EEA, in absence of adequacy protection. After all, the mysterious road beckons the young man – Angolan proverb.