European Court of Justice ruling to invalidate the EU-U.S. Privacy Shield and its impact on transfer of personal data to the US
The General Data Protection Regulation (GDPR), formally Regulation (EU) 2016/679, governs the transfer of personal data by entities subject to the GDPR to third countries. The simplest basis for such transfer for a personal data controller or processor is an adequacy decision, which means that the European Commission (EC) has determined that a country, territory, or sector ensures an adequate level of protection. Such transfer neither requires any specific authorisation nor imposes any obligations on the parties.
On 12 July 2016, the EC adopted Implementing Decision (EU) 2016/1250 on the adequacy of the protection provided by the EU-U.S. Privacy Shield, which stipulated that US companies that had self-certified their adherence to the EU-U.S. Privacy Shield Framework Principles had ensured an adequate level of protection. This permitted transfers of personal data under the least restrictive requirements to companies that are part of the EU-U.S. Privacy Shield, while other bases for data transfers remained available for entities outside the Privacy Shield.
On 16 July 2020, the European Court of Justice (ECJ) issued its Judgment C-311/18 that invalidated the EC’s decision on the adequacy of the protection provided by the EU-U.S. Privacy Shield, which means that this basis of data transfer can no longer be relied upon.
In accordance with the Serbian Personal Data Protection Law, the Serbian Government ruled (Official Gazette of the Republic of Serbia, No. 55/19 of 2 August 2019) that US organisations that are part of the EU-U.S. Privacy Shield ensured an adequate level of protection for the purposes of data transfer. This decision was based on the EC’s recognition that adherence to the EU-U.S. Privacy Shield Framework Principles constituted an adequate level of protection. As the EC’s decision has now been declared invalid, EU-U.S. Privacy Shield is no longer deemed to provide an adequate level of protection for the purposes of Serbian data privacy law. As such, data controllers or processors who have been relying on this approach to transfer data to the US will now have to seek alternative arrangements that are in compliance with Serbian law.
The accuracy of this interpretation has been confirmed by the Serbian Commissioner for Freedom of Information and Personal Data Protection, who has written to the Serbian Government to seek alignment of its decision of 2 August 2019 with the ECJ judgment. To the best of our knowledge, the Government is yet to respond.
In conclusion, personal data transfers to the US are no longer subject to the least restrictive basis of transfer (adequacy of protection), even if limited only to organisations adhering to the EU-U.S. Privacy Shield Framework Principles For transferring data to the US, entities that are subject to either the GDPR or Serbian data protection law will have to rely on a different basis set out in the GDPR or national legislation.