In the Case C‑311/18, Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrems, the Court of Justice of the European Union (CJEU) issued a landmark decision on data treatment outside the European Union on 16 July 2020.

The case dealt with Maximillian Schrems, an Austrian national residing in Austria, who lodged a complaint with the Irish data supervisory authority seeking to “prohibit those transfers. He claimed that the law and practices in the United States do not offer sufficient protection against access by the public authorities to the data transferred to that country. That complaint was rejected on the ground, inter alia, that, in Decision 2000/520 (5) (‘the Safe Harbour Decision’), the Commission had found that the United States ensured an adequate level of protection. In a judgment delivered on 6 October 2015, the Court, before which the High Court (Ireland) had referred questions for a preliminary ruling, declared that decision invalid (‘the Schrems I judgment’)”.

The Court said that “personal data are transferred to a third country pursuant to standard data protection clauses must be afforded a level of protection essentially equivalent to that guaranteed within the European Union by the GDPR, read in the light of the Charter of the rights of the European Union”.

In this same decision, the Court invalidated the Commission decision N. 2016/1250 on the adequacy of data protection so far ensured by the EU-US Privacy Shield (that allowed data transfer so far). The level of protection is not equal also because of the possibility give to US intelligence to access data anytime under US national security law provide.

The consequences of this judgement are not clear yet, but it has the potential to put a halt to the legal transfer of personal data from the EU to the US by businesses, or even to block data transfer between Europe and any other third country, UK included.

“Cross-border transfers of human resources data are the lifeblood of U.S. multinationals that centrally manage their global workforce from the parent corporation’s U.S. headquarters. Without these transfers, payroll and benefits, network access and online communications, succession planning, and myriad other functions fundamental to a global organization would grind to a halt” as stated in the IAPP website (news on data protection). Moreover, it is not possible to derogate from GDPR by providing the employees’ express consent. 

Therefore, the only remedy at the moment for US employers is to start organising a possible move of data treatment to Europe, or understanding which data are transferred through the EU-US Privacy Shields.