On July 16, 2020 the European Court of Justice (ECJ) issued an epochal decision (judgment in case C-311/18 Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems): not only was the Privacy Shield wiped out (the Decision on the adequacy of the protection provided by the EU-US Data Protection Shield was invalidated) but the ECJ, which formally spared the Commission’s decision on Standard Contractual Clauses, in fact also undermined this instrument, by calling the supervisory authorities to examine their concrete effectiveness and their possible suspension. In fact, as you can read in the press release:
Regarding the supervisory authorities’ obligations in connection with such a transfer, the Court holds that, unless there is a valid Commission adequacy decision, those competent supervisory authorities are required to suspend or prohibit a transfer of personal data to a third country where they take the view, in the light of all the circumstances of that transfer, that the standard data protection clauses are not or cannot be complied with in that country and that the protection of the data transferred that is required by EU law cannot be ensured by other means, where the data exporter established in the EU has not itself suspended or put an end to such a transfer.
The situation of data transfer to third countries, and the USA in particular, is getting really complex. In fact, if the problem is that US law could infringe on individuals’ right of privacy, it will be difficult to demonstrate that the standard contractual clauses are effectively applied in the U.S. and do not suffer any erosion by the same US regulations. Therefore, if in the aftermath of the fall of the Safe Harbor, controllers quickly turned to standard contractual clauses to continue the transfers of personal data to the U.S., today this switch could not guarantee the same result; this could generate a real paralysis for those who cannot use BCR (Binding Corporate Rules).