Safe harbor adieu – Privacy Shield thrown overboard!

The European Court of Justice rules that the "EU-US Privacy-Shield" is invalid; EU Standard Contractual Clauses are supposed to continue to apply - but caution!

In the judgment (C - 311/18), dated 16 July 2020 (also called “Schrems II”) the European Court of Justice (ECJ) eliminated the "Privacy Shield Agreement" between the USA and the EU and took the wind out of the sails for transatlantic data transfer. This means a change especially for companies which transfer data from the EU to the United States only on the basis of the Privacy Shield. Data transfer on the basis of the EU Standard Contractual Clauses (SCCs) continues to be possible.

But caution is required: The ECJ has also made it clear in this respect that the SCCs only provide adequate guarantees for protection of personal data if they can be complied with in the respective foreign country. This clarification also has consequences for the transfer of personal data on the basis of SCCs to other foreign countries where there is no adequate level of data protection.

What happened?

After the ECJ had already held that the so-called "Safe Harbor Agreement" was invalid in October 2015 (ECJ, judgment dated 6 October 2015, C – 362/14), the ECJ now had to deal with the issue of whether the subsequent "Privacy Shield Agreement" offers a level of protection which is reasonable with regard to European data protection and can legitimize the transfer of personal data to the USA. The court also addressed the issue whether the SCCs are valid and can alternatively legitimize transferring data to an unsafe foreign country. The trigger for the decision was again a request for a preliminary ruling from the Irish High Court. This was preceded by the complaint of the Austrian citizen Max Schrems who, as a Facebook user, objected to the transfer of data from Facebook Ireland to its American parent company. He based his original complaint primarily on the fact that US corporate groups are required by the law and practice in the United States to provide personal data to certain American authorities without data subjects being able to proceed against the disclosure.

Why is the Privacy Shield Agreement invalid?

The ECJ has ruled that the Privacy Shield Resolution 2016/1250 is invalid. The ECJ bases its decision decisively on the fact that the United States gives priority to national security, public interest and American law. The result is that infringements of the fundamental rights of persons whose data are transferred to the United States are possible. Furthermore, the American "monitoring rules" do not contain any guarantees that enable the involved persons to have legal recourse to a body which provides guarantees that are equivalent to the guarantees under the law of the European Union. This includes especially those guarantees which assure both the independence of the ombudsman intended under this mechanism as well as the existence of norms which authorize the ombudsman to issue binding decisions to the American intelligence services.  

EU Standard Contractual Clauses continue to apply, but caution!

The SCCs, in the view of the ECJ, are in accordance with EU law. These clauses contain effective mechanisms which guarantee in practice that the level of protection demanded under the law of the European Union is complied with. The Court emphasized in this respect, however, that both the importer of data as well as the exporter of data must examine in advance whether the SCCs and therefore the adequate level of data protection in the foreign country can be complied with. The recipient of the data must especially give notification if the recipient cannot comply with the SCCs. Special attention must also be given to the statement by the ECJ that the relevant supervisory authority must suspend and prohibit transmission of personal data based on SCCs if the authority is of the opinion that the clauses will not or cannot be complied with in the respective foreign country.

First statements of the German supervisory authorities:

The first German supervisory authorities have already commented on this topic. In particular, the data protection officer of Rhineland-Palatinate has published FAQs and provided concrete information on whether the SCCs for a transfer to the USA can be applied. Therefore, the SCCs can only be used if the data importing company within the USA is not subject to the Foreign Intelligence Surveillance Act (FISA) 702. However, this should not apply if the data importing company has engaged a service provider (e.g. for cloud services) that is subject to the FISA. In this case, the American authorities would have again a backdoor to access the data.

What is the consequence of the decision by the ECJ?

Transferring data to the USA based solely on the Privacy Shield is now no longer permissible. If the data transfer is based on SCCs, or should be based on the clauses, the companies must ensure that the clauses can be complied with. This also means that companies must check whether the data importing company is subject to a national law which makes it impossible to comply with the SCCs. For this reason, the decision of the ECJ involves transfer not just to the USA but also has consequences for transferring personal data to other foreign countries where there is no adequate level of data protection. It remains to be seen to what extent the German supervisory authorities will assess whether compliance with the SCCs is also inapplicable in other third countries (e.g. China, Russia or India) due to extensive access to data by state authorities.

Recommended action for affected companies:

• Companies should first determine whether they transfer personal data to a country outside the EU/EEA and on which data protection instruments (e.g. the EU-US Privacy Shield, SCCs or Binding Corporate Rules) the transfer is currently based. This may include data transfers between individual group companies, including the transfer of employee data within the group, and transfers to third parties, such as IT and cloud service providers.
• Where the data transfer has so far been based on the EU-US Privacy Shield, alternative data protection instruments must be used to ensure an adequate level of data protection.
• In case SCCs are to be used as an alternative data protection instrument, the company must examine whether these clauses can be complied with by the data importing company. This also includes a review of the third country´s applicable national law. That means for a data transfer to the USA, that the data importing company must not be subject to the FISA.
• As a further alternative, the companies concerned can currently still have Binding Corporate Rules approved by the European data protection authority. These are not directly affected by current ECJ case law.
• Affected companies can also examine whether one of the exceptions in Art. 49 GDPR (derogations for specific situations) is relevant. However, the companies should take into account, that the exceptions in Art. 49 GDPR are generally to be interpreted strictly and are in principle not applicable to regular and recurrent data transmissions.
• Regardless of the alternative chosen, the companies concerned should keep current developments in mind and take the data protection authorities´ as well as the European Data Protection Board´s statements into consideration.

A first position of the European Data Protection Board on this matter is available at:
https://edpb.europa.eu/news/news/2020/statement-court-justice-european-union-judgment-case-c-31118-data-protection_de

The FAQs of the Rhineland-Palatinate Data Protection Commissioner are available (only in German) at:
https://www.datenschutz.rlp.de/de/themenfelder-themen/datenuebermittlung-in-drittlaender/

The judgment of the ECJ can be accessed with the following link:
http://curia.europa.eu/juris/document/document.jsf;jsessionid=F9E1A4EC60AD5CA90A6E488CABE93614?text=&docid=228677&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=9982582

Tom Kleine Jäger and David Thies
Frankfurt a.M.