After just four years, the European Court of Justice (ECJ) overturned the “EU-US Privacy Shield”. The EU Commission approved the contract on July 12, 2016, and it entered into force on August 1, just under three weeks later: data exchange with the United States seemed to have been put on a stable footing at the time. The previous year, the previous “Safe Harbor” regulation, which lasted 15 years, had been declared invalid by the ECJ.
“Our companies urgently need legal security in transatlantic data traffic,” said the then Economics Minister Sigmar Gabriel in 2016. This should be ensured by the Privacy Shield after Safe Harbor was declared invalid. The new regulation was included in the list of so-called adequacy decisions of the EU Commission. The Europeans list countries whose data protection is considered equivalent to that of the EU countries. The basis for this is Section 45, Paragraph 3 of the General Data Protection Regulation (GDPR).
If the European Commission has taken an adequacy decision, personal data, provided that the other provisions of the GDPR are complied with, may be transmitted to the respective country without further approval. Data transfers on this basis are therefore privileged: they are treated as equivalent within the EU. Adequacy decisions currently exist for the transfer of personal data to the following third countries:
Isle of Man
The USA, which was previously on the list, must be deleted after the ECJ ruling. However, as had been the case in some other countries, there had already been a special regulation. The content of the respective adequacy decisions can vary from country to country. The Privacy Shield also meant no personal license for free data exchange across the Atlantic. In order to ensure data protection comparable to the European standard, the agreement should provide the appropriate mechanisms.
Data processing companies with servers in the USA first had to certify and commit to comply with essential data protection principles. These included, for example, the purpose limitation principle and the obligation to delete data when it is no longer required. The U.S. Department of Commerce maintains a list of Privacy Shield certified companies. It was last used by 5384 companies, including the major US cloud providers Amazon, Google and Microsoft.
Read voices and assessments of the ECJ ruling here
In a statement by the Department of Commerce in 2016, the US government “explicitly assured that US security agencies would not give mass access to EU citizens’ data if it was stored on US servers.” What could be a reason for mass access remained open. In addition, an Ombudsperson should be appointed in the US State Department to receive complaints from EU citizens and thereby improve the legal protection of EU citizens against unauthorized data access by US authorities. The EU Commission wanted to check annually whether the rules of the Privacy Shield would be observed. The set of rules appears to have withstood this examination by the Commission, but not the critical eye of the judges at the ECJ.
The judges in Luxembourg were called on to examine the extent to which the set of rules and regulations is suitable for protecting the personal rights of EU citizens. The process was initiated by the Austrian data protection activist Max Schrems, at whose instigation the ECJ had already overturned the previous Safe Harbor agreement in 2015. Facebook user Schrems complained that the Irish-based European headquarters of the social network is transmitting its data to the company’s headquarters in the USA, where it believes that it is not adequately protected against access by authorities and intelligence services. The Irish supervisory authority then initiated proceedings before the national high court. After the GDPR had now been ratified across Europe, the Irish court passed the case on to the CJEU. Specifically, the question was asked:
To what extent is the GDPR applicable to data transfers that are based on standard contractual clauses?
What level of protection does the GDPR require in the context of such data transmission?
What are the obligations of the supervisory authorities in this context?
Are the rules provided for this – i.e. standard contractual clauses or the Privacy Shield – suitable for enforcing the rules of the GDPR and are they therefore generally valid?
On July 16 of this year, the judges at the CJEU declared the EU Commission’s Privacy Shield decision (2016/1250) invalid. Personal data of European citizens would not be adequately protected by the rules when it is transferred to the United States, the reasoned. Indeed, priority would be given to U.S. interests such as national security. This enables interference with the fundamental rights of European users whose data are transferred to the USA. The judges pointed out above all that the proportionality of the data access was not guaranteed. The GDPR stipulates that the use of the data should be limited to what is absolutely necessary. This is not the case in the USA, especially with regard to the activities of the intelligence services.
The CJEU also criticizes that there are no restrictions on the large-scale surveillance programs of the US secret services. In addition, there would be no guarantees and no means of enforcing their rights against the US authorities for non-US citizens affected by these programs. The ombudsman mechanism provided for in the Privacy Shield is basically ineffective. “For all of these reasons, the Court of Justice annulled Decision 2016/1250,” said a statement by the ECJ.
The judges in Luxembourg stated in their reasoning that the GDPR should also be applied if authorities of a third country accessed the data transmitted for reasons of national or public security. Other countries could not simply override the data protection regulations applicable in Europe.
While the judges judged the Privacy Shield to be unsuitable for ensuring the data protection of European citizens, standard contractual clauses are basically a tried and tested means of enforcing the rules of the GDPR. The EU Commission had adopted the regulations for this in a decision (2010/87) of February 5, 2010. Questioning this decision, simply because authorities may not feel bound by the nature of the contract, is not enough to invalidate it.
Rather, it is important that the decision on the standard contractual clauses contains effective mechanisms to comply with the data protection level required by the GDPR and to suspend or prohibit the transfer of data in the event of violations of the clauses. “The Court finds that Decision 2010/87 provides such mechanisms,” said a state
However, the judges explicitly emphasized that the obligations regarding data protection resulting from the standard contractual clauses must also be observed. That means:
It must be explicitly checked whether the required GDPR-compliant level of protection is observed in a third country.
The data recipient is obliged to inform the data supplier if he cannot comply with the standard protection clauses.
If this is the case, the data provider must suspend the transmission and / or withdraw from the contract.
Regarding the assessment of the level of data protection, the judges noted that in addition to the contractual clauses, potential access by the authorities as well as “relevant aspects of the legal system of this country” should be included. Even if this passage leaves room for interpretation, these statements can be interpreted to the extent that countries in which intelligence services have more or less uncontrolled access to personal data and foreign persons cannot enforce their rights vis-à-vis domestic authorities do not offer a level of data protection corresponding to the GDPR . In addition to the USA – see criticisms regarding the Privacy Shield – this would also affect a number of other countries.
In contrast, the statements of the judges regarding the desired course of action by the supervisory authorities are clear. If a country is not on the EU Commission’s white list, official data protection officers are obliged to suspend or prohibit the transfer of personal data there if …
… they are of the opinion that the standard data protection clauses are not or cannot be met, and
… the protection of the transmitted data cannot be guaranteed by other means – unless the data exporter ends the transmission on his own initiative.
Although politics and business are currently having a lot to do with getting a grip on the consequences of the corona crisis, the cogs in Brussels and Washington are likely to move quickly. After all, the economy depends on functioning international data traffic. It was comparatively quick four years ago. In October 2015, the CJEU declared the Privacy Shield predecessor Safe Harbor null and void. As early as February 2016, the EU Commission and the United States agreed on a succession plan, which then came into effect in early August of the same year – less than a year after Safe Harbor ended.
Read more about the end of Safe Harbor and the launch of the Privacy Shield:
The ranks of the EU Commission were apparently prepared for the judgment of the judges of the ECJ. Justice Commissioner Didier Reynders announced on the day of the verdict on July 16 that he would talk to the US government about the future path and develop new standard contractual clauses that are in line with the ECJ ruling. Secretary of Commerce Wilbur Ross said he was disappointed with the decision of the highest European court, but confirmed the will of the US administration to work with EU officials on a new agreement. Ultimately, it is about “limiting the negative effects of $ 7.1 trillion annually on transatlantic economic relations that are so vital to our citizens, businesses, and governments.”
But whether this time will go as quickly as after Safe Harbor’s failure is questionable. The EU Commission will hardly want to risk a further defeat in court. Four years ago, there had been massive criticism from data protection experts in the course of the Privacy Shield decision. The agreement did not meet the requirements of the EU Charter of Fundamental Rights because it did not provide the necessary protection of personal data, according to a number of MEPs. Others spoke of effectively ineffective guarantees of fundamental rights and completely inadequate provisions on legal protection.
Even Edward Snowden, who had sparked the data protection discussion with his revelations about the snooping by the US secret services, was unable to find anything positive about the Privacy Shield: “The EU completely surrendered, even though it had all the trump cards in hand. I still have never seen a political deal that has been criticized so strongly. “
In fact, the EU Parliament had repeatedly criticized the Privacy Shield in the past few years and called for improvements. That did little. While the decision was officially ratified by Europe, the United States has not yet received state recognition. The US Senate has not yet approved the agreement. Civil rights activists therefore say that the Privacy Shield is not legally binding as the US government has never gotten beyond declarations of intent.
So far, the Trump administration has shown little interest in taking care of European data protection standards. The start of the Privacy Shield came in 2016 in the US election campaign, which Donald Trump was ultimately able to surprisingly win. As one of his first acts, the newly minted US President signed an order on January 25 that non-Americans would be excluded from the Privacy Act. The 1974 law protects U.S. citizens from collective rage and assault by law enforcement agencies.
The then top data protection officer of Germany, Peter Schaar, doubted whether, given this approach, an adequate level of data protection for EU citizens in the USA could still be assumed. In addition, the ombudsman agency provided for in the Privacy Shield in the USA for accepting and processing complaints was not staffed for years. It was not until the end of June 2019 that Keith Krach was officially appointed as an ombudsperson for privacy shield matters.
Given the US government’s apparent lack of interest in addressing European data protection issues, a new agreement is likely to be a distant prospect – especially since US elections are due again this year and discussions are likely to revolve around other issues. In addition, the EU Commission will not show itself again to launch a half-way agreement that will be picked up again by the ECJ in a few years.
International companies that believed their transatlantic data traffic with the Privacy Shield on secure data protection law must act now. With the decision of the CJEU, the Privacy Shield is immediately invalid. Those responsible in the factories can no longer rely on the rules when transferring data to the USA. The judgment also does not provide for a postponement and no grace period, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) said.
The extent to which companies are granted a transition period to switch their contracts from the Privacy Shield to standard contractual clauses is currently not yet clear. After Safe Harbor ended, there was a grace period of a few months during which the data protection authorities refrained from prosecuting. According to the BfDI, there have already been discussions between the European data protection authorities about the effects of the ECJ judgment. However, there has not yet been any talk about how deferral arrangements could be implemented in practice.
However, the first signals from the data protection officers indicate that no wave of law enforcement should be started in the matter of possible data protec
tion violations. One cannot issue a ban without offering the companies an effective alternative, according to the BfDI. It would be unfair to put the gun on the companies chest now. Currently it seems to be counting among the EU data protection authorities to find a uniform Europe-wide regulation on how to deal with the judge’s decision. After all, nobody should be disadvantaged.
Nevertheless, the Federal Commissioner for Data Protection Ulrich Kelber made it unmistakably clear that the ECJ ruling strengthened the fundamental rights of European citizens. “Special protective measures must now be taken to exchange data with the United States.” Companies and authorities could no longer transmit data based on the Privacy Shield. Kelber announced that it would “naturally provide intensive advice” to companies on the changeover.
The German data protection officer sees the role of the data protection supervisory authorities confirmed and strengthened. “You have to be able to check each individual data processing and be able to check whether the high requirements of the ECJ are met.” This also means that they prohibit data exchange if the requirements are not met. Kelber speaks of a complex task for companies and regulators to apply the judgment in practice. However, he left no doubt that the judges from Luxembourg would follow the instructions. “We will push for rapid implementation in particularly relevant cases.”