The European Court of Justice, in a judgment delivered on July 16, 2020 (C-311/18), declared the EU-US agreement on the protection of personal data called EU-US Privacy Shield invalid. In the ruling, the ECJ goes on to state that the available standard data protection clauses can in principle continue to apply to the transfer of personal data to third countries. However, companies that base their data transfer on standard data protection clauses are obliged to monitor compliance with the contractual clauses.
The ECJ has been asked by the High Court of the Irish Republic for a preliminary ruling on a number of issues relating to the transfer of personal data from Ireland to the United States. The background to the decision is a complaint originally lodged with the Data Protection Commissioner in Ireland in 2013 by the Austrian data protection activist Max Schrems. In his complaint, Mr. Schrems objected to the transfer of his personal data from an Irish company to its American parent company. In this context, the ECJ had already ruled in 2015 in a previous preliminary ruling procedure on the legality of the predecessor regulation “Safe Harbor”, which had also been invalidated in this context.
Under the GDPR, transfers of personal data from the EU to third countries are only permitted if it is ensured that the level of data protection in the recipient countries does not fall below the level applicable in the EU under the GDPR. The EU-US Privacy Shield was used to guarantee a corresponding level of protection in the USA as well. In application of Art. 45 of the GDPR, the European Commission recognised this agreement as equivalent to the GDPR with regard to the level of protection. The European Commission’s decision has now been overturned by the ECJ on July 16, 2020. In this context, the ECJ found that there are no effective protective mechanisms for non-US citizens to protect the transferred personal data from access by the US secret services. According to the findings of the ECJ and in relation to data of non-US citizens, the secret services have the possibility to access such data without any significant and effective restriction. In the opinion of the ECJ, this therefore results in massive restrictions on the fundamental rights of the persons concerned, which cannot be accepted within the scope of the GDPR. In particular, the ECJ found that the very extensive surveillance programmes of the US secret services are not limited in their extent to what is absolutely necessary. As a result, the access of the transferred personal data by the secret services can lead to unjustified restrictions of the fundamental rights of EU citizens, which are guaranteed by the EU Charter of Fundamental Rights. According to the ECJ, the GDPR is to be interpreted in the light of the EU Charter of Fundamental Rights, which is why such an undercutting of the level of protection by the now invalidated Privacy Shield agreement is unacceptable.
In the same decision, the ECJ confirmed that data transfer to third countries may still be possible on the basis of standard data protection clauses agreed between the parties in application of Article 46 of the GDPR. Although the standard data protection clauses currently available are much older than the current GDPR, the ECJ has ruled that this would not prevent them from continuing to apply.
However, the Court underlined that data controllers who make use of the standard data protection clauses are obliged to verify the level of data protection in the country to which the data are transferred instead of relying “blindly” on standard data protection clauses. The ECJ imposes the following specific obligations on data controllers:
- Data controllers should, as far as possible, determine whether the laws on the protection of personal data of the recipient country fail to provide adequate protection for the data subjects and if that is the case, they must take measures to ensure a level of data protection equivalent to that provided for in the GDPR. In particular, they must ensure that the data subjects have enforceable rights and access to effective administrative and/or judicial procedures to enforce their data protection rights.
- The data controllers must suspend or stop the transfer of data to a third country if the data controller or processor cannot take these additional measures to ensure an adequate level of protection.
The immediate consequence of the decision is that companies that currently exchange data on the basis of the EU-US Privacy Shield now do not have an adequate legal basis for doing so. In the worst case, this opens the way for complaints from affected parties and can therefore make affected companies vulnerable to being sanctioned by the competent data protection authorities. Alternative GDPR-compliant options for data transfer, such as the introduction of standard data protection clauses or binding internal data protection regulations, can in most cases not be introduced within a short period of time. Additionally, they can cause a variety of new problems. The companies affected by the decision should, however, review their current practice as soon as possible to clarify whether there is an immediate need for action.
It remains to be seen how the European Commission and the US Department of Commerce will position themselves on the current developments. Although the ECJ ruling is effective immediately, we expect that the EU Commission will grant a conversion period to companies utilizing the EU-US Privacy Shield (as was also the case previously when the “Safe Harbor” agreement was invalidated).
On July 23, 2020 at 6pm (German time – CEST) Ogletree Deakins will offer a webinar on the recent ECJ decision and its impact on companies and businesses. We would like to welcome you among the participants. Please feel free to register using the following link.