In the judgment (C - 311/18), dated 16 July 2020 (also called “Schrems II”) the European Court of Justice (ECJ) eliminated the "Privacy Shield Agreement" between the USA and the EU and took the wind out of the sails for transatlantic data transfer. This means a change especially for companies which transfer data from the EU to the United States only on the basis of the Privacy Shield. Data transfer on the basis of the EU Standard Contractual Clauses (SCCs) continues to be possible.
But caution is required: The ECJ has also made it clear in this respect that the SCCs only provide adequate guarantees for protection of personal data if they can be complied with in the respective foreign country. This clarification also has consequences for the transfer of personal data on the basis of SCCs to other foreign countries where there is no adequate level of data protection.
After the ECJ had already held that the so-called "Safe Harbor Agreement" was invalid in October 2015 (ECJ, judgment dated 6 October 2015, C – 362/14), the ECJ now had to deal with the issue of whether the subsequent "Privacy Shield Agreement" offers a level of protection which is reasonable with regard to European data protection and can legitimize the transfer of personal data to the USA. The court also addressed the issue whether the SCCs are valid and can alternatively legitimize transferring data to an unsafe foreign country. The trigger for the decision was again a request for a preliminary ruling from the Irish High Court. This was preceded by the complaint of the Austrian citizen Max Schrems who, as a Facebook user, objected to the transfer of data from Facebook Ireland to its American parent company. He based his original complaint primarily on the fact that US corporate groups are required by the law and practice in the United States to provide personal data to certain American authorities without data subjects being able to proceed against the disclosure.
The ECJ has ruled that the Privacy Shield Resolution 2016/1250 is invalid. The ECJ bases its decision decisively on the fact that the United States gives priority to national security, public interest and American law. The result is that infringements of the fundamental rights of persons whose data are transferred to the United States are possible. Furthermore, the American "monitoring rules" do not contain any guarantees that enable the involved persons to have legal recourse to a body which provides guarantees that are equivalent to the guarantees under the law of the European Union. This includes especially those guarantees which assure both the independence of the ombudsman intended under this mechanism as well as the existence of norms which authorize the ombudsman to issue binding decisions to the American intelligence services.
The SCCs, in the view of the ECJ, are in accordance with EU law. These clauses contain effective mechanisms which guarantee in practice that the level of protection demanded under the law of the European Union is complied with. The Court emphasized in this respect, however, that both the importer of data as well as the exporter of data must examine in advance whether the SCCs and therefore the adequate level of data protection in the foreign country can be complied with. The recipient of the data must especially give notification if the recipient cannot comply with the SCCs. Special attention must also be given to the statement by the ECJ that the relevant supervisory authority must suspend and prohibit transmission of personal data based on SCCs if the authority is of the opinion that the clauses will not or cannot be complied with in the respective foreign country.
The first German supervisory authorities have already commented on this topic. In particular, the data protection officer of Rhineland-Palatinate has published FAQs and provided concrete information on whether the SCCs for a transfer to the USA can be applied. Therefore, the SCCs can only be used if the data importing company within the USA is not subject to the Foreign Intelligence Surveillance Act (FISA) 702. However, this should not apply if the data importing company has engaged a service provider (e.g. for cloud services) that is subject to the FISA. In this case, the American authorities would have again a backdoor to access the data.
Transferring data to the USA based solely on the Privacy Shield is now no longer permissible. If the data transfer is based on SCCs, or should be based on the clauses, the companies must ensure that the clauses can be complied with. This also means that companies must check whether the data importing company is subject to a national law which makes it impossible to comply with the SCCs. For this reason, the decision of the ECJ involves transfer not just to the USA but also has consequences for transferring personal data to other foreign countries where there is no adequate level of data protection. It remains to be seen to what extent the German supervisory authorities will assess whether compliance with the SCCs is also inapplicable in other third countries (e.g. China, Russia or India) due to extensive access to data by state authorities.
A first position of the European Data Protection Board on this matter is available at:
https://edpb.europa.eu/news/news/2020/statement-court-justice-european-union-judgment-case-c-31118-data-protection_de
The FAQs of the Rhineland-Palatinate Data Protection Commissioner are available (only in German) at:
https://www.datenschutz.rlp.de/de/themenfelder-themen/datenuebermittlung-in-drittlaender/
The judgment of the ECJ can be accessed with the following link:
http://curia.europa.eu/juris/document/document.jsf;jsessionid=F9E1A4EC60AD5CA90A6E488CABE93614?text=&docid=228677&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=9982582
Tom Kleine Jäger and David Thies
Frankfurt a.M.