On 16 July the European Court of Justice ruled that the “EU-US Privacy Shield” agreement can no longer be used to justify transfers of personal data from the European Union to the United States.
We would like to briefly summarise the short and medium-term consequences for businesses in the EU and in the US and also take a look at data transfers to other non-EU countries.
1. International data transfers under the GDPR
The GDPR imposes the following general rules for international transfers of personal data: Whenever data are transferred from a EU controller to a recipient in a third country, the transfer msut meet the requirements of the following two-step test:
- At the first step, any transfer of personal data to a third-party recipient always requires a legal basis under art. 6 GDPR. (This first step is often overlooked in the case of a transfer to a third country.)
- At the second step, transfers of data to third countries under art. 44(1) GDPR must meet the additional requirements of chapter 5 of the GDPR. The idea behind this second step is that the level of protection of personal data provided by the GDPR may not be undermined by the transfer to a third country. To this end, chapter 5 of the GDPR provides for three protection mechanisms: The EU Commission may issue an adequacy decision for certain countries under art. 45 GDPR, the parties may stipulate appropriate guarantees under art. 46 GDPR, and exceptions apply to certain cases under art. 49 GDPR.
2. The EU-US Privacy Shield
The Privacy Shield is an agreement between the United States and the European Union which contains various assurances from the US government for EU data subjects. On the basis of this agreement, the European Commission adopted an adequacy decision (2016/1250) under art. 45 GDPR with regard to businesses that are certified under the Privacy Shield framework.
With today’s decision (a so-called preliminary ruling), the European Court of Justice determined that this specific adequacy decision is invalid. As a direct consequence, data transfers to the United States can no longer be based on the Privacy Shield.
The ECJ argues that the existing framework (just as its predecessor, the “Safe Harbour” program) gives priority to the requirements of national security, the public interest and compliance with US law, which leads to unjustified violations of the fundamental rights of EU data subjects. In particular, since US law allows for a disproportionate level of state surveillance from an EU perspective, the US does not have a level of data protection comparable to that of the EU, even when taking into account the Privacy Shield. Furthermore, the establishment of a Privacy Ombudsperson does not constitute a measure that provides EU citizens with effective legal protection vis-à-vis authorities and courts in the United States.
3. The future of the Standard Contractual Clauses
Now that the “Privacy Shield” can no longer act as an effective protection mechanism, we need to look at how data transfers to the US can still be carried out in compliance with the GDPR. Generally, the most important such mechanism for international data transfers are the Standard Contractual Clauses (SCCs, also called “model clauses”) under to art. 46(2)(c) GDPR. In the “Schrems II” judgment, the ECJ also discussed the SCCs and (fortunately) found that they are, at least per se, compatible with the EU Charter of Fundamental Rights and can therefore remain valid.
However, the ECJ has also made it clear that SCCs cannot be used to secure every transfer to any third country. Rather, SCCs can only be used if the data exporter and the recipient in the third country guarantee that the rules of SCC in that third country can actually be complied with. If, on the other hand, compliance with the SCCs cannot be ensured, the parties must terminate the data transfer. Ultimately, it comes down to the question of whether the third country in question gives its state institutions access to personal data in a way that undermines the data protection principles of the European Union.
For the USA, yesterday’s ECJ decision has basically already declared that the legal framework there makes it actually impossible to comply with the SCCs due to the existing surveillance legislation. In consequence, European supervisory authorities are now tasked with halting any such transfer of personal data on the basis of the SCCs if they find that the requirements simply cannot be met in the recipient country.
According to yesterday’s ECJ decision, data transfers to the United States can no longer be based on the “Privacy Shield” framework. Instead, many will probably now resort to SCCs (in cases where SCCs have not already been agreed on anyway), as these can be concluded relatively quickly. However, it is foreseeable that a transfer of personal data to the United States on the basis of the SCCs will most likely be prohibited by the European data protection authorities soon, since the required compliance with European data protection standards is simply not possible in the United States. The German Federal Data Protection Commissioner has already indicated in an initial press release that the authorities will want to act quickly in this matter.
For businesses on both sides of the Atlantic, this situation is obviously less than satisfactory. As a last resort, the ECJ points out that a “legal vacuum” could be prevented by applying the exceptions in art. 49 GDPR, which apply in cases where a data transfer cannot be based on an adequacy decision under art. 45 or on appropriate guarantees under art. 46 GDPR. However, these exceptions are rather restrictive and are clearly not intended for mass circumventions of the GDPR, but as solutions for very specific individual cases, for example the booking of a trip with an overseas tour operator.
We therefore recommend to proceed in the following manner: As a first step, all data transfers to the United States that are currently (only) based on the “Privacy Shield” should be covered by Standard Contractual Clauses instead so that at least any valid statutory security mechanism is implemented. In parallel, clients should examine whether the respective data transfer can be based on an exception under art. 49 GDPR or whether the data processing as a whole can be kept within the EU. This is because we currently assume that on the basis of the the same arguments as in yesterday’s judgment, data transfers to the United States (and also to other states such as China) on the basis of Standard Contractual Clauses are in jeopardy.
Written on 16 July 2020 by Dr. Lukas Mezger, UNVERZAGT Rechtsanwälte