The European Court of Justice adopted a decision with regard to the Data Protection Commissioner v Facebook Ireland and Maximillian Schrems case. The Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries (Decision 2010/87/EU) is declared valid, whereas but invalidates Commission Implementing Decision on the adequacy of the protection provided by the EU-U.S. Privacy Shield. The Court`s reasoning is that there are restrictions regarding the protection of personal data, arising from United States’ national legislation on the access and the use of such data by US public authorities. The Court finds that these restrictions are disproportionate and that the mechanism for protecting the rights of data subjects before the US Ombudsman does not provide sufficient guarantees for the rights of individuals equivalent to those existing in the EU.
In view of this decision, the transfer of personal data will have to take place through the other existing mechanisms envisaged in Regulation (EU) 2016/679, that provide appropriate guarantees for data subjects, such as binding corporate rules, standard data protection clauses adopted by the European Commission, the standard data protection clauses adopted by a supervisory authority or the data protection clauses approved by a supervisory authority. The definition of standard data protection clauses, the approval of data protection clauses and the approval of binding corporate rules by a supervisory authority are also subject to an opinion by the European Data Protection Board.
