That time has come around again. Five years after the rejection of the previous data protection agreement "Safe Harbor", its successor "Privacy Shield", which regulates the transfer of personal data between private companies in the EU and the USA, is thus rejected.
In its ruling of 16 July 2020 (in the so-called "Schrems II case" pursued by the Austrian activist Max Schrems against, among others, Facebook), the European Court of Justice states that Privacy Shield does not provide sufficient protection for personal data and that transfers of personal data to the United States with the support of Privacy Shield are thus illegal. Several thousand companies in the USA support their activities and exchange of personal data between the EU and the USA on a connection to Privacy Shield to enable trade and exchange of services across the continents. It goes without saying that this ruling overturns the reality of thousands of companies and their transfers of personal data that have now become illegal overnight.
What is Privacy Shield and why has it been rejected?
In order for personal data to be transferred to a "third country", i.e. a country outside the EU, the GDPR requires that whoever receives and processes the personal data in the third country meets an adequate level of protection. This means that the data must be protected in the same way and with the same level of protection as the data is ensured according to the GDPR. Article 46 of the GDPR sets out various approved forms of "appropriate safeguards" that can be used to enable legal transfers to third countries. In the absence of an appropriate protective measure, the transfer is illegal. An example of an appropriate protection measure was the data protection agreement signed between the EU and the US called Privacy Shield. Because US companies joined Privacy Shield and met the requirements imposed on the companies, such companies were considered to maintain an appropriate level of protection and the transfer of personal data to a Privacy Shield affiliated company was therefore permitted under GDPR. However, after a long court battle, it is clear that the European Court of Justice does not consider that the Privacy Shield agreement guarantees that appropriate protection measures are maintained. The primary reason for the rejection is the federal surveillance laws that exist in the United States, which give US authorities and the government access to personal data also in the private sector. First, the European Court of Justice ruled that US surveillance laws, as assessed by the Commission in its Privacy Shield decision, are not limited to what is strictly necessary and proportionate under EU law and thus do not meet the requirements of Article 52 of the EU Charter of Fundamental Rights. Second, the European Court of Justice ruled that with regard to the supervision of US authorities, EU registered persons do not have effective remedies before a court and therefore these persons do not have access to a judicial review before an independent and impartial court in the United States, as required by Article 47 of EU Charter.
Are there other legal ways to transfer personal data to the United States?
There are other ways to transfer personal data to companies in the United States. The most common safeguard measures to ensure that the company in a third country maintains an appropriate level of protection under Article 46 GDPR are either to enter into agreements under the so-called Standard Contractual Clauses or for the companies to adopt Binding Corporate Rules. Both of these mean, somewhat simplified, that the companies contractually undertake to process and protect personal data in accordance with the requirements set out in accordance with the GDPR. The ruling of the European Court of Justice in the Schrems II ruling does not mean that the standard clauses or binding corporate regulations have been rejected and these can therefore continue to be used for the transfer of data to the USA. HOWEVER, transfers based on these are only legal if the companies can live up to them in practice. Because federal law in the United States is above what the companies have contractually agreed upon, it is doubtful whether it will really work in practice. The European Data Protection Board has provided some guidance and compiled a FAQ that can be read here and here . The EDPB states that in cases where the laws of the third country may conflict with the standard clauses or the binding corporate rules, "complementary measures" must be taken to ensure a substantially equivalent level of protection provided in the EU, and that the laws of the third country will not influence these accompanying measures to prevent their effectiveness. However, it is not specified what such additional measures may consist of. The EDPB states that the additional measures may be assessed on a case-by-case basis, taking into account all the circumstances of the transfer and after the assessment of the law of the third country, to check whether it ensures adequate protection. It further states that the EDPB is currently analyzing the Court's judgment to determine the type of additional measures that may be taken in addition to the standard clauses (SCC) or binding corporate rules (BCR), either legal, technical or organizational measures, to transfer data to third countries where the SCC or BCR will not provide a sufficient level of guarantees on its own. We can only state that we are looking forward to such further guidance as it currently looks very difficult, based on the court's statement in the judgment, to legally transfer data to the United States. Such a situation is difficult to handle, to say the least, given the large number of shops and services exchanged across the continents.
What to do?
All companies that in one way or another transfer personal data to third countries (and primarily the USA) within the framework of their own activities or through collaborations or services from companies outside the EU should review their processor relationships and data processing agreements and analyze in particular the appropriate safeguards used to enable the transfer and whether it continues to meet the requirements. If the transfer is based on the Privacy Shield, the transfer is illegal and must therefore cease immediately until another appropriate protective measure has been taken.
Morris' GDPR team monitors the development and aftermath of the European Court of Justice's ruling and we look forward to further concrete and practical guidance from the EDPB.