On 16 July 2020, the Court of Justice of the European Union (CJEU) has surprisingly annulled the EU-US Privacy Shield, the data transfer mechanism frequently used by EU companies for transferring data to the US. The case originated from Max Schrems’ complaint filed before the Irish Data Protection Authority in 2015, challenging Facebook’s data transfers to the US, which the authority brought before the Irish High Court asking it to make a reference to the CJEU for a preliminary ruling.
In its judgment, the CJEU took the position that the US law does not provide an adequate level of personal data protection in line with the GDPR, primarily because it does not effectively restrict the activities of the US intelligence services and fails to ensure effective remedies for persons whose data are transferred, therefore rendering the Privacy Shield invalid.
In addition, the CJEU confirmed that the Standard Contractual Clauses (SCCs), the mechanism most extensively used for transferring personal data from the EU to third countries globally (US including), still generally remain valid. However, the court also underlined the GDPR requirement to ensure in each specific case that data subject rights and effective legal remedies are available in the importer’s country. This means that EU companies relying on SCCs will need to actively assess whether the transferred data will enjoy the level of protection as required by the GDPR, and to suspend the transfers if this is not the case, rather than just “tick the box” when executing the template SCCs.
Based on the reasoning behind the CJEU’ annulment of the Privacy Shield, relying on SCCs for data transfers to the US may indeed be considered problematic in the future. This will require more extensive due diligence by exporting companies in each specific case, resulting in heavier burden for businesses and constant fear that authorities might eventually disagree with the company’s assessment.
What does all this mean for Serbian companies transferring personal data to the US?
The Serbian Data Protection Law is modelled upon the GDPR and refers to the EU’s list of adequate countries (which, until yesterday, included the US, for Privacy Shield certified companies) as the ones to which transfers from Serbia are also permitted. Since the Privacy Shield is no longer recognized in the EU, it follows that Serbian companies transferring data to the US will no longer be able to rely on it either, and will need to look elsewhere for a valid transfer mechanism.
The SCCs (controller to processor) approved by the Serbian Data Protection Authority will likely be the most obvious choice, but their sufficiency will need to be evaluated by the companies in each specific case, as the Serbian law also copies the above GDPR requirement – that transferred data enjoy the same level of protection, and that data subject rights and effective legal remedies are available in the importer’s country.
This will be anything but an easy exercise, perhaps even tougher in Serbia than in the EU, as Serbian businesses are still struggling to reach even a basic level of data protection compliance. “When in Rome, do as the Romans do”, goes the old saying, and Serbian EU aspirations obviously warrant implementing the EU data protection rules and practices as well. It is yet to be seen how thoroughly the “Romans” will address this new development and if will there will be any best practices to be copied by the bordering nations craving to join the Empire.
The information in this document does not constitute legal advice on any particular matter and is provided for general informational purposes only.