ECJ vs. Privacy Shield FAQ: Companies need new data protection contracts

After just four years, the European Court of Justice (ECJ) overturned the “EU-US Privacy Shield”. The EU Commission approved the contract on July 12, 2016, and it entered into force on August 1, just under three weeks later: data exchange with the United States seemed to have been put on a stable footing at the time. The previous year, the previous “Safe Harbor” regulation, which lasted 15 years, had been declared invalid by the ECJ.

“Our companies urgently need legal security in transatlantic data traffic,” said the then Economics Minister Sigmar Gabriel in 2016. This should be ensured by the Privacy Shield after Safe Harbor was declared invalid. The new regulation was included in the list of so-called adequacy decisions of the EU Commission. The Europeans list countries whose data protection is considered equivalent to that of the EU countries. The basis for this is Section 45, Paragraph 3 of the General Data Protection Regulation (GDPR).

If the European Commission has taken an adequacy decision, personal data, provided that the other provisions of the GDPR are complied with, may be transmitted to the respective country without further approval. Data transfers on this basis are therefore privileged: they are treated as equivalent within the EU. Adequacy decisions currently exist for the transfer of personal data to the following third countries:

  • Andorra

  • Argentina

  • Canada

  • Faroe Islands

  • guernsey

  • Israel

  • Isle of Man

  • Japan

  • jersey

  • New Zealand

  • Switzerland

  • Uruguay

The USA, which was previously on the list, must be deleted after the ECJ ruling. However, as had been the case in some other countries, there had already been a special regulation. The content of the respective adequacy decisions can vary from country to country. The Privacy Shield also meant no personal license for free data exchange across the Atlantic. In order to ensure data protection comparable to the European standard, the agreement should provide the appropriate mechanisms.

Data processing companies with servers in the USA first had to certify and commit to comply with essential data protection principles. These included, for example, the purpose limitation principle and the obligation to delete data when it is no longer required. The U.S. Department of Commerce maintains a list of Privacy Shield certified companies. It was last used by 5384 companies, including the major US cloud providers Amazon, Google and Microsoft.

Read voices and assessments of the ECJ ruling here

In a statement by the Department of Commerce in 2016, the US government “explicitly assured that US security agencies would not give mass access to EU citizens’ data if it was stored on US servers.” What could be a reason for mass access remained open. In addition, an Ombudsperson should be appointed in the US State Department to receive complaints from EU citizens and thereby improve the legal protection of EU citizens against unauthorized data access by US authorities. The EU Commission wanted to check annually whether the rules of the Privacy Shield would be observed. The set of rules appears to have withstood this examination by the Commission, but not the critical eye of the judges at the ECJ.

The judges in Luxembourg were called on to examine the extent to which the set of rules and regulations is suitable for protecting the personal rights of EU citizens. The process was initiated by the Austrian data protection activist Max Schrems, at whose instigation the ECJ had already overturned the previous Safe Harbor agreement in 2015. Facebook user Schrems complained that the Irish-based European headquarters of the social network is transmitting its data to the company’s headquarters in the USA, where it believes that it is not adequately protected against access by authorities and intelligence services. The Irish supervisory authority then initiated proceedings before the national high court. After the GDPR had now been ratified across Europe, the Irish court passed the case on to the CJEU. Specifically, the question was asked:

  • To what extent is the GDPR applicable to data transfers that are based on standard contractual clauses?

  • What level of protection does the GDPR require in the context of such data transmission?

  • What are the obligations of the supervisory authorities in this context?

  • Are the rules provided for this – i.e. standard contractual clauses or the Privacy Shield – suitable for enforcing the rules of the GDPR and are they therefore generally valid?