ECJ ruling on data transfer to the USA

Sonja Dürager

20 July 2020 – need2know

What happened?

As is well known, data may only be transferred to the USA if the requirements of Chapter V of the GDPR are fulfilled, thus essentially ensuring that the data enjoy the same fundamental protection afforded at European level. A suitable means of demonstrating this adequate level of data protection at the data recipient in the USA was most recently the so-called EU-U.S. Privacy Shield Agreement (Privacy Shield Decision), which was deemed appropriate by the EU Commission on 12 July 2016 (Decision (EU) 2016/1250). What is precarious about this is that this Privacy Shield Decision was already a successor regulation which replaced the “Safe Harbor” adequacy decision previously overturned by the ECJ on 6 October 2015 (Rs C-362/14). A few days ago, on 16 July 2020, the ECJ also declared this “new” agreement to be invalid (Case C-311/18).

On the occasion the ECJ also examined another popular alternative legal instrument in transnational data transfer in this decision, namely the European Commission Decision on standard contractual clauses for the transfer of data to third countries (now: standard data protection clauses; in short: SCC Decision). To the delight of many, the ECJ confirmed the validity of these clauses, but stressed the individual responsibility of those examining the adequate level of data protection in the third country.

Precisely because of this personal responsibility of the controller, the question remains whether there is an efficiently feasible and data protection-compliant option for European data exporters to continue transferring data to the USA.

How did the decision come about?

The ECJ was given the opportunity to overturn the privacy shield agreement, which had polarised from the outset, after Max Schrems, as a Facebook user, challenged the legality of the transfer of his data from Facebook Ireland to Facebook Inc. before the Irish data protection authority (the Data Protection Commissioner). Originally, his complaint was based on the Safe Harbor Decision as the basis for the transfer sought by Facebook. After it emerged from the evidentiary proceedings that the transfers were predominantly based on the standard protection clauses, Max Schrems reformulated his complaint, and the data Data Protection Commissioner took up the potential invalidity of the SCC Decision. The High Court, which subsequently referred the case to the ECJ, then indirectly criticised the validity of the Privacy Shield Agreement. One of the questions referred was whether the Privacy Shield Decision was binding on the supervisory authority in so far as  that that the guarantee of an adequate level of data protection in the USA must be assumed on this basis. .

Why is the privacy shield agreement not valid?

While the ECJ affirmed that the authorities were bound by the findings made in an adequacy decision, the ECJ, in line with the arguments put forward by the High Court regarding the US intelligence system, had doubts as to whether the law in the US actually provided the level of protection required by the fundamental rights guaranteed in the EU Charter of Fundamental Rights (the Charter).

The ECJ stated from two points of view that the Privacy Shield Decision was incompatible with the Charter and therefore invalid. First, the legal bases for monitoring programs such as PRISM and UPSTREAM were qualified as not being in conformity with the Charter, since a legal basis for interventions in fundamental rights must, in order to comply with the principle of proportionality, itself determine the extent to which the exercise of the right in question is restricted, provide clear and precise rules on the scope and application of the measure in question and lay down minimum requirements. Since the relevant US legal framework would not confer any such rights on the data subject that could be enforced through the courts against the US authorities, the guarantees set out by the Charter are not fulfilled. Second, the ECJ considered that the prescribed ombudsman mechanism does not constitute an effective remedy before an independent and impartial court to obtain access to or erasure of data. Not least because the ombudsman could not make binding decisions vis-à-vis the intelligence services.

Are the standard data protection clauses still valid?

With regard to the standard data protection clauses which were actually valid, the ECJ came to the legal opinion that these were not objectionable and that it was rather the task of the supervisory authority to suspend or prohibit a transfer based on the SCC Decision if the authority was of the opinion that the clauses were not complied with in the third country and that the necessary protection of the transferred data was not guaranteed. In particular, however, the ECJ referred to the responsibility of the controller and/or the data processor if the contractual regime under Art 46 (2) lit c GDPR is used as the basis for a transfer to a third country. Thus, the person responsible had to check whether the country of the recipient ensured adequate protection of the data transmitted in accordance with Union law. If unable to agree on such additional guarantees that ensure the adequate level of data protection, the person would ultimately be forced to suspend data processing.

The end of the privacy shield and what comes next?

This ECJ decision removes the justification for a large number of data transfers to the USA. It is now primarily up to European companies to find alternative guarantees within the meaning of the GDPR without delay in order to legitimise transfers to the USA. Until such a solution is found and implemented, the exchange of data would have to be suspended, as the ECJ has not provided for a transitional period.

Which alternatives to the privacy shield agreement are recommendable depends primarily on the business model; there is no patent remedy for legitimising the transfer of data to the USA. For example, for a data transfer in a multinational corporation, it is expedient to handle it on the basis of Binding Corporate Rules, while for other transfers with non-affiliated companies, the execution of standard data protection clauses makes sense as a quickly available guarantee.

Standard data protection clauses as an appropriate alternative with conditions.

Insofar as standard data protection clauses are an instrument for international data transfer that has now even been approved by the ECJ, special attention should be paid to ensuring that, on the one hand, the necessary level of individualisation is carefully carried out and, on the other hand, that the law in the country of destination is checked for conformity with the assurances required by the data importer. If necessary, additional measures may have to be taken, for example to limit access to the data by foreign intelligence services (e.g. ensuring technical measures so that US companies/US authorities do not have direct access to data of the persons concerned; encryption during transport and storage of data).

Check whether there is an exception to the approval requirement.

It should further be mentioned that the GDPR also provides for substantive exceptions to the requirement for approval of data transfers to third countries, the existence of which should therefore be examined in each individual case. Thus, in addition to the express consent of the data subject (whereby the data subject must also have been informed of the possible risks of such data transfers), the transfer must be mentioned as a requirement for the performance of a contract between the data subject and the controller (Art 49 para 1 lit b GDPR). Even if this contract was not concluded with the data subject, but serves the interests of the data subject (e.g. transport contract), the transfer to a third country should be justified (cf. Art. 49 para. 1 lit. c GDPR).

To Do: Reorganisation of transatlantic data traffic.

In light of this decision, many companies will face a major challenge in the coming days and weeks, as in many cases insourcing or changing the service provider or reorganizing the data flow without involving the USA is out of the question — whether because the largest and most technical service providers and cloud providers are based there, or because many US corporations have subsidiaries in Europe — and a new guarantee under the  GDPR must therefore be found. This requires a careful sorting of the starting position and analysis of the available legal instruments. Only when this has been done can transatlantic data transfer be allowed to take place unhindered again.

This article provides a general overview of the legal situation, but does not replace legal advice and comprehensive clarification in individual cases.