The ECJ has declared the Privacy Shield ineffective in its decision called “Schrems II”. This means high barriers to data transfers to the USA. Even the standard contractual clauses can now only be used under certain conditions.
General legal situation regarding international data transfers
In principle, the transfer of personal data to third countries is not permitted under the GDPR unless the level of data protection there is approved as equivalent by the EU. However, such an approval has so far only been given for the EEA, Switzerland and a few countries, such as New Zealand and Uruguay.
Companies therefore regularly use standard contractual clauses (SCC) for transfers to third countries such as the USA, China or India. These are pre-formulated clauses that have been issued by the EU Commission and are intended to guarantee adequate data protection if they are concluded without any amendments. Companies in the USA have been able to certify themselves for the “Privacy Shield” as an equivalent and thus make transmission possible. The Privacy Shield was an agreement concluded between the USA and the EU to ensure the transfer of personal data between the USA and the EU. The ECJ has now declared this agreement invalid.
What had happened?
The background to the ruling was a legal dispute lasting several years between the Austrian Maximilian Schrems and Facebook. The Austrian claimed that a data transfer to the USA on the basis used by Facebook violates the GDPR.
Back in 2015, the ECJ ruled in its “Schrems I” judgement that the former “Safe Harbor” agreement between the USA and the EU was invalid and that processing on this basis was therefore no longer eligible. As a reaction to this judgement, the Privacy Shield was negotiated between the EU and the USA. The data transfer from Facebook was based on this.
Schrems lodged another complaint against this. This time, he argued that it was contrary to the provisions of the GDPR for the Irish Facebook subsidiary to transfer data to the US parent company, even though the latter was obliged to disclose the data to the US authorities without the persons concerned being able to object.
Privacy Shield ineffective
In its judgement of 16.7.2020 (Case C-311/18, Facebook Ireland / Schrems II), the ECJ has now ruled that the Privacy Shield is also in breach of EU law and therefore ineffective.
The ECJ essentially justified its decision by stating that the Privacy Shield does not provide sufficient protection of data subjects against unlawful processing of their data. The main problem here would be that the Privacy Shield only obliges the companies joining the EU, but does not restrict access by security authorities, for example. The ECJ considered this to be a violation of the provisions of the GDPR.
According to the ECJ, American law, for example, the FISA Act, which concerns foreign reconnaissance and counter-espionage, provides regulations that grant security authorities access to data without the person concerned being able to defend himself against it.
Against this background, the requirements of data protection law are not fulfilled and the privacy shield is therefore ineffective.
SCC possible under certain conditions
On the other hand, the SCC, which the ECJ had to examine in the same way, according to the ECJ, remain in principle an appropriate means to allow data transfers to the third country.
However, this only applies if it is ensured that local laws of the third country do not frustrate the protection of SCC. If this is the case, a data transfer despite SCC is inadmissible unless additional security measures have been taken to protect against unauthorized access.
Otherwise, national supervisory authorities may prohibit and sanction a transfer on the basis of the SCC. In this case, fines of up to Euro 20 million or 4% of consolidated annual sales are threatened.
Based on the findings of the FISA Act for the USA, it can be assumed that more extensive security measures must be taken, especially for transmission to the USA, in order to avoid a breach of data protection.
In response to the decision, the European Data Protection Supervisor Committee has already issued a list of FAQs and recommendations. It is clearly stated here that transfers to the USA must be notified to the competent supervisory authorities if no appropriate protective measures can be taken.
Privacy Shield – What next?
Companies should check whether they use tools or service providers in the USA and whether their use is based solely on the Privacy Shield. If so, there is a call for action.
Providers should be contacted to clarify whether the services can be used exclusively from Europe or whether a switch to the SCC is possible. If no use involving a European server or SCC is possible, the tools should be switched off in view of the threat of sanctions and any further data transfer should be stopped. However, even when switching to SCC, further security measures must be critically examined (e.g. encryption)
Standard contractual clauses (SCC) – Everything ok?
The conclusion of SCC or SCC already agreed with service providers must also comply with the new requirements of the ECJ. Existing SCC must therefore also be reviewed.
In the opinion of the local supervisory authorities, service providers abroad should be asked whether there are any local laws that could conflict with compliance with SCC. If so, there is also a call for action here: data processing must then be additionally secured (e.g. data encryption). Further security measures should be contractually agreed by supplementing the SCC. If no further security measures are possible or appropriate, the transmission must be reported to the local regulatory authority.
Alternatively, it is also possible to check whether an exception under Art. 49 GDPR applies. For example, data transmission may be permitted by way of exception if this is absolutely necessary for the execution of a contract. This is always an assessment on a case-by-case basis.
If SCC should be completely newly agreed upon, it should be ensured in the case of a chain processing agreement that the SCC is concluded between the appropriate parties. However, even with existing SCC, it is worthwhile checking processing chains.
No transition period – immediate call for action
Immediately after the judgement, questions about a possible transitional period or the date from which the judgement is to be implemented increased. In an official statement, the ECJ stated that there is no transitional period and that the Privacy Shield is ineffective with immediate effect. Companies and other responsible parties must therefore act without delay to find and implement ways of transmitting and processing personal data to the USA and other third countries securely and in compliance with the GDPR.