With the judgement of 16 July 2020, the European Court of Justice (ECJ) invalidated the EU-US Privacy Shield (Privacy Shield)(C-311/18 – Schrems II). The Privacy Shield thus suffered the same fate as its predecessor, the Safe Harbor Treaty, which the ECJ declared invalid in 2015 (C-362/14 – Schrems I). Companies are now called upon to take immediate action regarding the transfer of personal data to the USA to avoid being targeted by the supervisory authorities, as the ECJ has not granted any transitional or grace period. This means, as of now, many companies can no longer transfer their personal data to their American sister, subsidiary or parent companies, business partners or cloud services if the processing is based on the Privacy Shield.
In 2013, the Austrian data protection activist, Max Schrems, filed a complaint against the transfer of personal data via Facebook to the USA. In the complainant’s view, the US law did not provide sufficient protection of the processed data from the surveillance activities of the US authorities. In October 2016, the European Court of Justice declared the adequacy decision of the EU Commission known as Safe Harbour to be invalid.
According to the provisions of the Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) and its predecessor, Directive 95/46/EC (Data Protection Directive), personal data of EU citizens may only be transferred to countries outside the EU under certain conditions. This is the case, inter alia, if the EU Commission has determined in a so-called adequacy decision that certifies that adequate data protection is guaranteed in the destination country. In its adequacy decision regarding Safe Harbor, the EU Commission had failed to make any statements on the equivalence of the level of protection in the USA. Consequently, the ECJ invalidated Safe Harbor, however, without having to make findings on the level of protection in the USA.
What did the Privacy Shield regulate?
The successor agreement, the Privacy Shield, was agreed between the EU and the USA in 2016, which led to the corresponding adequacy finding by the EU Commission. This time, the Commission explicitly stated, taking into account the agreements reached with the USA, that the level of protection in the USA was essentially the same as in Europe. US companies wishing to process personal data of EU citizens must register on a list maintained by the US Department of Commerce. Registration on the list constitutes a self-certification of the company, by which it commits itself to respect the principles of the Privacy Shield.
Facebook, Google and many other companies subsequently relied on the Privacy Shield for the transfer of personal data from the EU to the US.
Why was the Privacy Shield overturned?
In the opinion of the ECJ, there is no equivalent protection for the data of EU citizens in the USA due to the extensive access possibilities of the authorities. The US surveillance programmes were not limited to the necessary extent. In addition, the fact that there is no sufficient legal protection for EU citizens came under criticism. According to the ECJ, the PRISM and UPSTREAM programmes of the US security authorities, which have been reviewed by the ECJ, permit comprehensive and unprompted mass state surveillance. Internet traffic is widely read and made accessible to secret services based on specific selectors. Moreover, judicial control is not possible or only possible to a limited extent. The Privacy Shield only provides for an ombudsman, to whom those affected can turn in the event of possible infringements. The ECJ doubts whether the ombudsman is independent and can make binding decisions for the secret services.
Processing on the basis of standard contractual clauses
The ECJ ruling does not, however, mean that data transfers to the USA are now completely inadmissible. In the absence of an adequacy finding, the transfer of personal data is also permitted based on standard contractual clauses. The standard contractual clauses are agreements pre-formulated and approved by the EU Commission, which shall guarantee compliance with adequate data protection standards even in countries without an adequate level of protection. The standard contractual clauses – since being “mere” contracts – are binding only on the parties, namely the EU “data exporter” and the US “data importer”. Naturally, they have no effect on the general level of data protection in a third country, in particular on access powers of security authorities.
The ECJ did not render data transfer based on standard contractual clauses ineffective. However, the ECJ will no longer allow the mere conclusion of a contract to suffice in future.
The court stressed that companies are obliged to check carefully before transmission whether the required level of data protection is observed in the recipient country, because the guarantees are worth little if companies in the USA can be forced to make personal data available to the authorities. If the legal examination shows that there is no sufficient guarantee in the third country for the protection of the transferred data (which should apply particularly in the case of state powers of access to such data), the transfer of data based on the standard contractual clauses must be omitted in future. This means that processing on the basis of standard contractual clauses to the USA also bears a considerable risk.
Data protection authorities are obliged to suspend or prohibit transfers of data if they consider that the standard contractual clauses are not being or cannot be complied with in practice in the recipient country. The German data protection authorities already stressed that it is crucial that the guarantees provided by the standard contractual clauses can be implemented in practice. If this is not the case, consideration should be given to what additional measures can be taken to ensure a level of protection substantially equivalent to that in the EU. However, the law of the third country must not affect these additional protective measures in such a way as to frustrate their actual effect. According to the ECJ ruling, standard contractual clauses without additional measures are generally not sufficient for data transfers to the USA. Whereas the State Commissioner for Data Protection and Freedom of Information of Rhineland-Palatinate clarified that data transfer to the USA, however, can remain admissible on the basis of the standard contract clauses, the Berlin Commissioner for Data Protection and Freedom of Information has already requested an immediate switch from US providers to service providers in the EU. It is highly desirable that the European Data Protection Board swiftly brings about coordination among the supervisory authorities to establish a list of the countries for which it considers an adequate level of protection and under what conditions.
What companies need to do now
Companies should now determine whether they themselves or their processors transfer personal data (e.g. from customers or employees) to companies in the US based on the Privacy Shield or on standard contractual clauses. Processing of personal data based on the Privacy Shield should be stopped to avoid sanctions by the supervisory authorities. At the same time, contact to the contractual partner in the US needs to be established to assess whether the data transfer can be based on standard contractual clauses and whether these guarantee compliance with an adequate level of data protection.
In general, companies should now take the ECJ ruling as an opportunity to examine the necessity of US data transfers and the possibilities for data processing in the EU. Moreover, by choosing the appropriate options, some large US cloud providers can also locate data on servers in the EU where access by US intelligence services is at least more difficult. However, not only should the processing and storage of personal data be done in the EU, but support, for example, must then also be provided from within a European member state as even temporary access to EU data from the USA already constitutes a processing measure.