ECJ Declares the EU-U.S. Data Privacy Shield Framework Invalid
ECJ, judgment of 16.07.2020 C-311/18 ("Schrems II")
Data transfers from the EU to the US have always been a difficult process from a legal point of view. The ECJ has now struck down a data privacy pack used to establish an adequate level of data protection – the EU-U.S. Data Privacy Shield.
1. Case Background
The Austrian complainant has been using Facebook since 2008. For providing this service, the provider Facebook Ireland transmits and processes at least part of personal data from all users resident in the EU on servers of the parent company Facebook Inc. in the United States. His complaint towards the Irish Data Protection Commissioner seeks to suspend that transfer as due to the surveillance practices of the U.S. government agencies the United States do not provide of an adequate level of data protection. This complaint already led to a judgment of the ECJ of 6 October 2015 in which the Safe Habor principles were deemed insufficient (so-called Schrems I judgment).
Based on that ruling, the Irish Data Protection Commissioner asked the complainant to reformulate his complaint. Hence, the complainant now alleges Facebook's data processing based on the Standard Contractual Clauses (“SCC”) annexed to Decision 2010/87 is suspended or prohibited. With the decision of the EU-Commission 2016/1250 on the adequacy of the protection safeguarded by the EU-U.S. Data Privacy Shield, the case also called into question the validity of that framework. .
2. Applicability of GDPR
The ECJ first outlines that the transfer of data from Facebook Ireland to Facebook Inc. falls within the scope of application under Article 2(1) of the GDPR. Particularly, the fact that the data are processed by state protection authorities when they are transmitted or subsequently does not have any impact.
3. Standard Contractual Clauses (SCC)
In the case, the ECJ states that, although the SCC only bind the respective contracting parties, they provide for effective mechanisms establishing a level of data protection equivalent to that guaranteed within the EU. Nevertheless, the recipient of the data in the third country concerned must verify and check to which extent in the third country have access to the data, as set out in Article 45(2) of the GDPR and thus, the requirements of the SCC can be met. In this respect, the ECJ confirms the decision of the European commission on the SCC and their establishment of an adequate level of data protection remaining valid.
4. Rights of Data Protection Authorities
However, the competent data protection authorities are still entitled to suspend or prohibit the transfer of data to third countries on the basis of the SCC, provided that the Authority, taking into account all the circumstances of the individual case, considers that the provisions are not complied with or cannot be complied with and cannot be ensured by the use of other means, as provided for by Articles 45 and 46 GDPR.
5. EU-U.S. Data Privacy Shield does not guarantee for sufficient Data Protection Level
By contrast, a company's certification under the EU-U.S. Data Privacy Shield does not guarantee an adequate level of data protection. Among others, this certification does not prevent U.S. government agencies from accessing data of that company or make it subject to surveillance programmes.
There is also a lack of effective and enforceable cause of action that would allow individuals to enforce their rights in court against the U.S. government agencies. The Ombudsman mechanism introduced by the US authorities does not guarantee an effective redress equivalent to a legal remedy leading within the European Union. Accordingly, the EU Commission's Decision 2016/1250-is incompatible with the requirements of the GDPR and therefore invalid.
6. What to do? How can Companies secure their Data Transfer to the U.S.?
The ECJ's decision is a minor but predictable sensation. The EU-U.S. Data Privacy Shield contains rules and procedures comparable to the Safe Habour procedure, which was deemed unsuitable to establish an adequate level of data protection as early as 2015.
This fundamentally calls into question the transfer of data with the important economic partner USA. It is also obvious that the SCC cannot serve as the sole means for addressing the issue of US authorities accessing data of EU citizens. The sword of Damocles of the data protection authorities now always hangs on this, authorizing them to suspend or prohibit a transmission at any time.
It remains to be seen whether the EU and the U.S. can quickly enter into a new agreement. The data protection authorities will also give a comprehensive position on the ECJ's decision and make recommendations for action. Providers, such as Google and Facebook, are also expected to adapt their data processes and, if necessary, refrain from forwarding data to the United States.
For the time being, however, the following measures are recommended:
- Analysis of data processes involving a transfer of data to the United States. Preferably, this should not contain any data being of existential importance to the company.
- Perform a prior impact assessment on the US company based on the GDPR.
- Create alternative solutions through data transfer to other countries with an adequate level of data protection, which may be implemented on an ad hoc basis when instructing an authority. It should also be examined whether exceptional facts can be created by anonymization or encryption or at least asking for a consent.
- Ensuring that the Standard Contractual Clauses are in place for data transfers to third countries with no adequate data protection level.
- Apply the provision of Art. 49 a) GDPR, clearly inform the users on the risks of the transfer and collect their consent.