The Court of Justice of the European Union has found that the United States, in matters concerning the protection of personal data transferred from the EU to the US, fails to comply with the principle of proportionality, as adopted by the EU, due to its poorly adapted surveillance programs. This sends a clear warning signal to data controllers. The Court found that the US surveillance of personal data processing does not meet EU standards for non-US citizens. The requirements applied by the US authorities do not grant individuals rights that can be enforced in court.
Is data transfer to the USA safe?
A decision deemed invalid does not mean that personal data may not be transferred to the U.S. This possibility still exists under Article 49 of the GDPR, provided that:
- the data subject has given his/her consent but has previously been informed about the risks associated with the data transfer,
- the transfer is necessary for the performance of the contract between the controller and the data subject,
- the transfer of data is necessary to pursue claims,
- or the data is transferred at the request of the data subject due to the conclusion of a future contract.
Invalidity of decision 2016/1250
The CJEU ruling follows a complaint filed by Maxymillian Schrems with the Irish supervisory authority, requesting a prohibition on Facebook Ireland transferring personal data of EU users to servers belonging to Facebook Inc., located in the United States. The complainant argued that the United States fails to adequately protect user data from public authorities. The complaint was dismissed by the European Commission (EC Decision 2000/520). The Irish court then referred a question to the CJEU for a preliminary ruling. The Court declared the aforementioned Commission decision invalid (Schrems I judgment). Consequently, Schrems amended the complaint and requested the suspension or prohibition of the transfer of his personal data to the United States. Whether Schrems' complaint was successful depended on the validity of Decision 2010/87. Therefore, the Irish supervisory authority initiated court proceedings to submit a request for a preliminary ruling to the CJEU.
The Commission adopted Decision 2016/1250 on the adequacy of the protection provided by the GDPR and the Privacy Shield in relation to regulations applied by the U.S. The Court raised doubts regarding the validity of Decisions 2010/87 and 2016/1250. The Court found Decision 2010/87 valid in relation to the Charter of Fundamental Rights of the European Union, but declared Decision 2016/1250 invalid.
Decision 2016/1250 was considered by the Court to be a decision that prioritised national security, public interest and compliance with US legislation, which resulted in an interference with the fundamental rights of the persons whose data were transferred.
