16 July 2020
Schrems II – 3 of 3 Insights
The European Court of Justice (ECJ) today caused a sensation: the EU-US Privacy Shield negotiated between the EU Commission and the USA is invalid. There is no transitional period. As a result, personal data of EU citizens can no longer be lawfully transferred to the USA on the basis of the EU-US Privacy Shield.
At the same time, the ECJ ruled that the EU standard contractual clauses (SCC) are to be regarded as valid in principle. Nevertheless, in individual cases, an EU company concerned which transfers personal data to a state outside the EU or the EEA (third country) and the data importer in the third country must check whether tan adequate level of protection is maintained. If this is not the case, the data exporter in the EU must suspend the data transfer or the data protection authorities may prohibit the data transfer (judgement of 16 July 2020, case C-311/18, see press release - judgement in English).
As a general rule, personal data may only be transferred to third countries if they provide an adequate level of data protection. An adequate level of data protection can be positively determined by the EU Commission by means of an adequacy decision. Such a decision currently exists for thirteen third countries, including the USA, the so-called EU-US Privacy Shield. However, this is subject to the special feature that the level of data protection is not considered adequate for the USA as a whole. Rather, this applies only to the US company, which is subject to the rules of the EU-US Privacy Shield and has it certified accordingly.
If there is no such adequacy finding, as is the case with China or India, for example, an adequate level of data protection can be ensured by other mechanisms. One option is that the EU company wishing to transfer data to a third country concludes the SCC with the company in the third country which is to process the personal data.
The ECJ ruling removes the option of basing data transfers to the US on the EU-US Privacy Shield. The use of the SCC creates a number of complex verification obligations for data transfers to third countries - and now even considerable risks for transfers to the USA.
How did the decision of the ECJ come about in the first place? In 2013, Max Schrems, an Austrian data protection activist and user of the US social network "Facebook", filed a complaint with the Irish Data Protection Commission (DPC). Facebook is operated in Europe by Facebook Ireland Limited (Facebook Ireland). Facebook Ireland transfers data of its European users to servers of the US-American parent company Facebook Inc. Schrems requested the DPC to prohibit the transfer and processing of personal data of Facebook users on servers of Facebook Inc. in the USA. He referred to the activities of the US intelligence services, in particular the National Security Agency (NSA), revealed by Edward Snowden in 2013. According to this, Facebook Inc., among others, is also alleged to have passed on personal data of users to US authorities as part of the NSA's PRISM mass surveillance programme. In doing so, it was argued that US law and practice did not provide adequate protection of data stored in the USA from the surveillance activities of the authorities there.
In 2013, Facebook Ireland based the transfer and processing of data to the USA on the so-called "safe harbor" agreement. However, the validity of the safe harbor agreement was reviewed by the ECJ in the context of the dispute between Schrems and the DPC. And indeed, the ECJ declared the safe harbor agreement invalid. As a result, the EU Commission adopted the EU-US Privacy Shield. Meanwhile, Facebook Ireland and Facebook Inc. concluded an agreement on data transfer and processing in the USA, which was based on the SCC.
Schrems then claimed vis-à-vis DPC that the agreement between Facebook Ireland and Facebook Inc. was not sufficient to ensure that personal data of Facebook users were transmitted and stored on servers of Facebook Inc. in the USA in a manner compliant with European data protection regulations. Under US law, Facebook Inc. is obliged to provide the personal data of Facebook users to US authorities such as the NSA or the Federal Bureau of Investigation (FBI) as part of their monitoring programs. Against this, even if the transfer was made on the basis of the SCC, there would not be sufficient protection for the EU citizens concerned. The DPC should have to suspend the transfer in application of the Commission Decision on the SCC. The DPC found itself unable to decide the case without prior examination of the validity of the Commission decision of the SCC and brought an action before the High Court, which in May 2018 in turn referred various questions on the validity of the SCC and the EU-US Privacy Shield to the ECJ for a decision. The ECJ has now ruled on this.
The ECJ considers the SCC to be valid. The SCC contained effective mechanisms to protect EU citizens whose personal data would be transferred from the EU to a third country. This is true even though the SCC only bind the contracting parties, i.e. the data exporter in the EU and the data importer in the third country.
However, before any transfer of personal data to a third country by the parties, it should be verified whether the EU citizens whose personal data are transferred enjoy a level of protection equivalent to that guaranteed in the EU by the General Data Protection Regulation and the Charter of Fundamental Rights of the European Union (the Charter). The assessment of whether such an equivalent, i.e. adequate level of data protection exists is based both on the contractual obligations in the SCC as well as on whether the legal system of the third country also provides for such a level of protection, in particular with regard to access to data by public authorities.
Therefore, the parties concerned would have to assess in particular, on a case-by-case basis, whether the data importer in the third country is able to comply with the SCC at all or whether the legal system of the third country prevents this. If the legal system of the third country does not provide for an adequate level of protection, no data transfer may take place. However, the ECJ also obliges the competent data protection authority to intervene and prohibit the data transfer if it considers that the SCC are not (or cannot be) respected in the third country.
The ECJ has a clear position on the EU-US privacy shield. It declares this to be invalid! All data transfers from the EU to the US, which were previously based on this, are now to be considered illegal. The ECJ justifies this in particular as follows:
According to the EU-US privacy shield, the requirements of national security, public interest and compliance with US law would take precedence over the fundamental rights of EU citizens whose data are transferred to the US under the Charter. In particular, the monitoring programmes of the authorities based on US law are not limited to the absolutely necessary extent. The associated restrictions on data protection were therefore disproportionate under European Union law.
Furthermore, the EU-US Privacy Shield would not provide the EU citizens concerned with legal protection comparable to that provided by European Union law. There is an ombudsman procedure, in which an ombudsperson in the USA may be called upon to safeguard the rights of the persons concerned vis-à-vis the US authorities. However, the EU citizens concerned do not have the possibility of having the independence of the ombudsperson reviewed. Furthermore, there are no standards which authorise the ombudsperson to issue binding decisions vis-à-vis the US intelligence services.
The ECJ ruling forces all internationally active companies in the EU to closely examine their data transfers to third countries, in particular the USA.
To the extent that companies in the EU have so far justified a data transfer to the US on the basis of the EU-US Privacy Shield, companies will need to act quickly. This data transfer is now illegal. It is to be expected that the data protection authorities will soon begin to review the legality of such data transfers. These companies must therefore immediately examine whether they can carry out their data transfers to the US on the basis of other mechanisms. It is highly questionable and will have to be examined very carefully whether, after today's judgement, the SSCs are still a sufficient alternative for transfers to data importers in the US.
Also with regard to other third countries, the data transfers based on SCC should be reassessed in the light of the ECJ ruling. For the ECJ has made it clear that before personal data are transferred to third countries, but also during continuous data transfers, compliance with an adequate level of protection must be checked and ensured.
It is expected that the German and European data protection authorities will position themselves on this in the near future. So, still awaiting the comments of data protection authorities, what can companies do in principle? Possible activities that are nevertheless sometimes organizationally complex or risky can be:
International Datatransfers in the light of "Schrems II" and Brexit - Key points & To Do's
23.07.2020 von 4:00 - 4:30 pm GMT
by Multiple authors