23 July 2020
Schrems II – 1 of 3 Insights
On 16 July 2020, the CJEU delivered its judgment in the “Schrems II” case (C-311/18), which may cause significant difficulties and not just for the digital economy inside and outside Europe.
In the ruling, the CJEU declared the EU-US Privacy Shield in particular to be invalid because personal data in the USA is not sufficiently protected from the US authorities and there are not sufficient possibilities for legal protection. On the one hand, the US secret services would have too extensive powers to access data files, especially with regard to citizens who are not US citizens. Secondly, the ombudsman mechanism of the US State Department could not provide legal protection under the European Charter of Fundamental Rights. In contrast, the standard contractual clauses (“SCC”) issued by the Commission remain valid. However, in the case of data exports, it is no longer sufficient to simply agree on the SCC. Instead, the data exporter and importer must ensure that in the country of destination the transferred data enjoys a level of protection comparable to that provided under the GDPR in the light of the European Charter of Fundamental Rights. Following the ruling, it is particularly questionable whether this can be guaranteed at all for the USA, because the SCC as a contractual agreement cannot control the behaviour of the authorities with binding effect. Many questions remain open for the companies affected.
However, the European Commission believes that the transatlantic data flows could continue for the time being since the SCC remain in force (https://ec.europa.eu/commission/presscorner/detail/en/statement_20_1366). In addition, the Commission is working to develop the “toolbox” for secure international data transfer, including modernisation of the SCC. Taking into account the high level of protection of personal data, the Commission is working with the US administration to ensure the security of data transfers to the US. The US Government - represented by the Secretary of Commerce and the State Department - has already expressed its regret at the ruling (https://www.commerce.gov/news/press-releases/2020/07/us-secretary-commerce-wilbur-ross-statement-schrems-ii-ruling-and; https://www.state.gov/european-court-of-justice-invalidates-eu-u-s-privacy-shield/). The State Department stressed that the US would share with the EU the values of the rule of law and democracy. The Secretary of Commerce hopes that, in cooperation with the European Commission, the negative effects on transatlantic trade can be limited.
Within Europe, numerous supervisory authorities have also submitted comments. Broadly speaking, two directions can be identified. While some of the supervisory authorities welcome the ruling and announce that they want to examine compliance with data protection standards more closely (very clearly Ireland, Hamburg, Berlin), others want to examine the ruling first and refer to the necessary European coordination (e.g. Great Britain, France). As a practical measure, the UK Information Commissioner's Office (ICO) recommends continuing to use the Privacy Shield for the time being if it is already in use. Under no circumstances should data transfers based on the Privacy Shield be started now. The statement of the State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg, who points out the fatal consequences for the economy on both sides of the Atlantic if data transfer is consistently prevented, should also be emphasised (https://www.baden-wuerttemberg.datenschutz.de/der-eugh-koennte-seinen-hebel-ueberschaetzen/). In contrast, the supervisory authority in Berlin has taken a clear position in favour of stopping data flows to the USA for the time being.
The following overview summarises the statements of the supervisory authorities to date (alphabetical order by country code; EU for institution at EU level).
In this respect, the opinions are divided into three categories: cautious/neutral (no legal assessment or immediate need for action yet), moderate to strict (reference to existing legal problems and risks of the data transfer without final positioning on the permissibility of the data transfer) and clear negative positioning (clear assessment of the data transfer as inadmissible).
Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter (Federal Data Protection and Information Commissioner)
|The FDPIC refers only briefly to the judgment. It is not directly applicable to Switzerland. However, it will examine it and make a statement in due course.|
|CZ||Úřad pro ochranu osobních ùdajů (Office for the Protection of Personal Data)||The Czech Office for the Protection of Personal Data has so far only briefly referred to the CJEU decision, but abstains from an assessment.|
|DK||Datatilsynet (Data Protection Authority)||The Danish data protection authority only briefly presents the main content of the ECJ ruling, pointing out that the issues raised by the Court would need to be examined. The opinion does not contain any further assessment.|
|EU||European Data Protection Board||The EDPB points out that the CJEU refers to errors in the EU-US Privacy Shield, which the EDPB has already pointed out. It wants to support the Commission in concluding a legally compliant agreement with the US. In addition, the EDPB wants to develop measures that data exporters can implement to ensure the required protection. However, it also draws attention to the obligations arising from the SCC and stresses that the supervisory authorities are obliged to prohibit data transfers that do not meet the requirements.
|EU||The EDPS welcomes that the CJEU decision emphasises the importance of a high level of protection of data transferred to third countries. At the same time, it hopes that the US will promptly achieve a level of data protection equivalent to that required by the CJEU. In the light of the ruling, the EDPS is also reviewing the agreements entered into by the EU institutions. Microsoft is mentioned by name.|
|FR||Commission Nationale de l'Informatique et des Libertés (French Data Protection Authority)||
For the time being, the CNIL is keeping a low profile and refers to the review of the judgment in the EDPB.
Berliner Beauftragte für Datenschutz und Informationsfreiheit (Berlin Commissioner for Data Protection and Freedom of Information)
According to the BlnBDI, the European Court of Justice had explained in a positive way that data exports could not only be about the economy, but that the fundamental rights of people must also be in the foreground. The “hour of digital independence for Europe” had now come. In addition, the BlnBDI sees the CJEU ruling as a challenge to prohibit inadmissible data transfers to third countries. In addition to the USA, Russia, China and India are explicitly mentioned. The BlnBDI also mentions that companies can be liable for damages if they transfer data to third countries in an illegal manner.
Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (The Federal Commissioner for Data Protection and Freedom of Information)
|The BfDI still considers data traffic between the EU and the USA to be possible. It wants to advise companies on the transition from the Privacy Shield to other measures. It also sees the supervisory authorities strengthened and stresses that data exchange must be prohibited if it does not meet the requirements of the CJEU.|
|GER||Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (The Hamburg Commissioner for Data Protection and Freedom of Information)||
The HmbBfDI welcomes the ruling. It stresses that the USA has not made any significant improvements after the failed Safe Harbor Agreement. It also criticises the fact that the CJEU considered the SCC to be an appropriate instrument for data protection as inconsistent with the Safe Harbor Agreement. The HmbBfDI believes that the supervisory authorities should jointly develop a strategy for dealing with international data transfers. It also sees difficult times ahead for international data transfer.
|GER||Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz (The State Commissioner for Data Protection and Freedom of Information Rhineland-Pfalz)||
The RPLfDI believes that the rights of the individual have been strengthened by the CJEU, but also sees “hard work” ahead for the companies concerned. It emphasises that data transfer to third countries must be suspended if the law there cannot be brought into line with European data protection law. It points to the need for coordination between the supervisory authorities. The LfDI has also compiled a list of answers to frequently asked questions.
|GER||Der Thüringer Landesbeauftragte für den Datenschutz und die Informationsfreiheit (The Thüringer State Commissioner for Data Protection and Freedom of Information)||The TLfDI is grateful to the CJEU for “its clear finding that the ombudsman mechanism [of the US] does not meet the EU’s legal safeguards”. It is questionable how SCC can be brought to life in the future. The European supervisory authorities now have a duty, particularly with regard to the data protection-compliant transfer of data to the USA.|
Landesbeauftragter für Datenschutz und Informationsfreiheit Baden-Württemberg (State Commissioner for Data Protection and Freedom of Information Baden-Württemberg)
|In the FAZ interview, the LfDI BW welcomes in principle the fact that the CJEU is attempting to establish a level of protection worldwide that meets the standard of the GDPR. At the same time it wonders whether the CJEU is not overestimating the leverage of the EU. If Europe were to consistently prevent the transfer of data to the USA, the damage to the EU would also be massive. However, it stresses that the CJEU is serious about data protection, including all its consequences.|
|IRE||Data Protection Commission||
The DPC welcomes the CJEU ruling, as it underlines DPC’s concerns about data transfers to the US. The DPC also believes that the position of the supervisory authorities has been strengthened, as they could now intervene in the case of data transfers to the US.
|LTU||Valstybinė duomenų apsaugos inspekcija (State Data Protection Inspectorate)||The Lithuanian DPA briefly summarises the main points of the judgment and points out that it is analysing the decision in the context of the EDPB.|
|NL||Autoriteit Persoonsgegevens (Data Protection Authority)||Although the Dutch data protection authority (AP) does not explicitly oppose the use of SCC for data transfers to the USA, the overall context is important. The AP makes it clear that the SCC can only be used as a safeguard if an equivalent level of protection can be guaranteed in practice in the recipient country. In the absence of a general law on the protection of personal data in the USA, the country does not have an adequate level of protection comparable to that in the EU. The AP is currently examining the practical consequences of the decision within the European Data Protection Committee (EDPB).|
|UK||Information Commissioner’s Office||The ICO points out that the Privacy Shield should initially continue to be used, but new transfers should no longer be based on the Privacy Shield.|
by Multiple authors