Data exchange with the USA: ECJ destroys EU-US Privacy Shield

Max Schrems struck again. After the Safe Harbor Agreement was overturned in 2015, the EU-US Privacy Shield was now on the agenda. In its judgment announced on July 16, 2020, the European Court of Justice (ECJ) announced that its examination did not reveal anything that could affect the validity of the standard contractual clauses of the EU Commission. In contrast, the ECJ declared the EU-US Privacy Shield invalid.

According to the General Data Protection Regulation (GDPR), which has been in force since May 2018, personal data may only be transferred to countries outside the EU or the European Economic Area (so-called third countries) if the person responsible for the data transfer provides so-called suitable guarantees.
Up to July 16, 2020, the following were considered:

  • The standard data protection clauses (formerly standard contractual clauses).
    The standard data protection clauses are contractual clauses formulated by the European Commission, which are generally agreed between the person responsible in the EU (data exporter) and the data recipient in the third country (data importer). You oblige the data recipient to comply with data protection in order to ensure an appropriate level of data protection.

  • The EU-US Privacy Shield (no longer applicable from 16.07.2020!)
    In the case of an international data transfer to the USA, the so-called EU-US Privacy Shield is considered as a suitable guarantee in addition to the standard contractual clauses. The Privacy Shield is a decision of the Commission. The successor to the Safe Harbor Agreement, which was also overturned in 2015 on the initiative of Max Schrems, was heavily criticized by data protectionists for the same reasons.

The Irish Supreme Court has raised a number of questions with the ECJ that essentially challenge the effectiveness of standard data protection clauses. The background is a legal dispute between the Irish data protection officer and Facebook Ireland Ltd. and Maximilian Schrems, regarding the transfer of personal data to the US parent company of Facebook.
The starting point is the determination of the targeted and massive investigative powers by the American government authorities, in particular on the basis of the so-called CLOUD Act (Clarifying Lawful Overseas Use of Data Act), while there is a lack of legal remedies for EU citizens.

In view of these findings, the Irish court considers that a violation of fundamental European rights (right to privacy, protection of personal data, right to an effective remedy) could be considered by transferring data to the United States based on standard data protection clauses. The standard data protection clauses only apply between the data exporter and the data importer and have no binding effect on the national authorities of a third country.
Combined with the extensive powers of the American authorities, this could mean that the standard data protection clauses cannot offer suitable guarantees for the protection of personal data. From the Irish Court’s view, the consequence of this would ultimately be the ineffectiveness of the standard data protection clauses.

Reading tip: US CLOUD Act versus EU GDPR – freedom is not limitless in the cloud

Unlike the Irish Supreme Court, the CJEU sees no reason to assume that the standard contractual clauses are invalid. Like the Advocate General in his Opinion, he noted that the effectiveness of the standard data protection clauses was independent of the data protection level of the third country. The clauses are intended to compensate for any shortcomings in comparison with the European level of data protection by offering suitable guarantees for the protection of personal data.

The fact that security agencies in the United States have extensive access to personal data cannot therefore generally question the effectiveness of standard data protection clauses. Especially since the clauses of the EU Commission provide for the possibility to suspend or prohibit individual data transfers (“emergency stop regulation”). Accordingly, the controller or – if he does not act – the supervisory authorities can suspend or prohibit the data transfer if there is a violation of the standard contractual clauses. This would also be the case if it emerges that the legal system of the third country contradicts the application of the standard data protection clauses and there is no longer adequate protection for the transmitted data.

It is important that the contractual partners in other EU countries have to point this out if they cannot comply with the requirements of the standard data protection clauses, for example due to local legal requirements.

European companies would do well to explicitly request confirmation from their contractors that the rules of the standard data protection clauses can be complied with.

Although the main focus was on the standard data protection clauses, the CJEU also commented on the effectiveness of the EU-US Privacy Shield. As expected, this has now been declared invalid. The basis for this is, among other things, the surveillance measures by the US authorities uncovered by Edward Snowden. They give rise to doubts about the existence of a level of protection comparable to that of the GDPR for the protection of personal data. But this was precisely the basis of the decision on the Privacy Shield. According to the CJEU, the legal bases for the surveillance measures in US law are not clear and precise enough to provide legal certainty and to prevent abuse. It is particularly problematic that the measures taken by the US authorities are not checked by an independent body either beforehand or afterwards. The data subject is not informed and there is no effective legal remedy against the measures. The establishment of an ombudsperson as provided for in the Privacy Shield does not change this assessment.

During Max Schrems already discussed on Twitter with interested parties, it means for the EU as well as for companies that carry out data transfer with the USA to react.

The EU Commission is required to show the companies concerned alternatives to the EU Privacy Shield. The EU Commission has already dealt with this scenario in advance. However, it is more than questionable whether a new decision will be taken promptly.

In addition, companies now have to check their data transfers to the USA. If data processing is only based on the EU-US Privacy Shield, the standard contractual clauses should be agreed as soon as possible as an alternative suitable guarantee. But even if standard contractual clauses have already been agreed, companies should check whether the respective data transfers to a third country are GDPR-compliant. Since Brexit, this has also applied to data transfer to the UK. (bw)

Leave a Reply

Your email address will not be published. Required fields are marked *