ECJ rules that Privacy Shield is invalid – What does this mean for companies?
by Bettina Backes, HAVER & MAILÄNDER Rechtsanwälte Partnerschaft mbB
Download PDF

The recent judgment on the Privacy Shield passed by the European Court of Justice (ECJ) on 16.07.2020 (Maximilian Schrems v Facebook Ireland - C-311/18) poses new challenges for transatlantic data transfers. Not only companies and supervisory authorities but also the EU Commission now face difficult tasks.

What does the Privacy Shield ruling say?

In its ruling of 16.07.2020 (C-311/18), the European Court of Justice (ECJ) declared that the EU Commission’s adequacy decision on the Privacy Shield was invalid. In the past it was permissible for a company domiciled in the EU to transfer personal data to a company in the USA which participated in the Privacy Shield. This now no longer applies. The ECJ also addressed the transfer of data to US companies based on EU Standard Contractual Clauses. In principle, the ECJ held that these standard contractual clauses were admissible, but it did impose extensive verification obligations on the users. According to the ECJ, the standard contractual clauses can only serve as the legal basis if the level of protection of the European Union is also actually complied with in the target country (third country). This has to be checked by exporters of personal data. Since, when it examined the Privacy Shield, the ECJ considered the level of data protection in the USA to be inadequate, it can be assumed that the transfer of data on the basis of the standard contractual clauses could hardly be considered to be effective either. De facto this is currently likely to lead to a situation whereby it is not permissible to transfer data to the USA on this basis either. This means that companies are now being faced with considerable difficulties.

What is the reasoning for the ruling of the European Court of Justice?

The rationale for the ECJ’s decisions is, essentially, the comprehensive rights of the US security authorities to access personal data. The ECJ established, for instance, that, on the basis of the surveillance programmes PRISM und UPSTREAM pursuant to Section 702 FISA (Foreign Intelligence Surveillance Act) and also based on E.O. 12333, the American authori-ties are entitled to access the personal data transferred from the European Union to the United States. The ECJ is of the opinion that, in this regard, the law of the United States does not ensure the fundamental rights enshrined in the Charter of the European Union, as the relevant regulations do not provide for the necessary limitations and safeguards or ensure effective legal protection against such interferences. The Privacy Shield Ombudsperson would not be able to remedy this deficiency either. To this extent it was not held to be possible to guarantee, in particular, a level of data protection adequate for the European Union. Whilst, in this connection, the fact that the FISA primarily addresses telecommunications corporations and not all US corporations, had to be taken into account, accessing data on the basis of the FISA surveillance programmes can, nonetheless, also be indirectly extended to the communications of other US corporations if they use the services of telecommunications corporations whose data can be accessed by the US authorities. It therefore seems doubtful whether US corporations can actually fully exclude such data access.

What are the practical effects of the ruling?

The judgment will create considerable practical difficulties for a large number of companies.

Companies are permitted to export personal data to a third country, i.e. to a country outside the EU, only if one of the following guarantees of an adequate level of data protection applies:

• The EU has adopted an Adequacy Decision establishing that the so-called third country has an adequate level of data protection. These countries include, for example, Switzerland, Japan, New Zealand, Andorra, Argentina, Canada and Israel, but not China, Russia and several other countries.
  
• Up until now, the European Commission had declared that the transfer of data to the United States of America was permissible subject to certain conditions. This was ef-fectuated by means of an Adequacy Decision, notably the Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield (Privacy Shield). The Privacy Shield was an agreement between the European Union and the United States of America. Personal data could only be transferred to a US corporation if it had agreed to the so-called Privacy Shield and in this connection had applied certain oversight mechanisms and provided guarantees for the protection of personal data. This Privacy Shield has now been declared invalid.
  
• The contracting parties in the European Union and the United States sign so-called EU Standard Contractual Clauses. The contract templates evolved by the European Union commit the contracting parties to adhere to the European level of data protection. However, they permit the transfer of data only if the level of data protection is also actually complied with. A mere promise by the contracting parties does not suffice. This has now again been clarified by the ECJ.
  
• Further, companies in third countries can adopt their own binding data protection rules (Binding Corporate Rules). Such rules are quite seldom, however, as they have to be approved or certified externally. This legal basis is to be found primarily in quite large corporate groups.
  
• The transfer of data is necessary for certain reasons which are definitively stipulated in the GDPR (General Data Protection Regulations) and which are evident to the data subjects, e.g. for air travel and hotel reservations, e-mail communications, public and vital interests.
  
• The data subject has consented to the data transfer. Such a declaration of consent is difficult to obtain as there are stringent requirements regarding the transparency (information to the data subject), the explicit granting of consent and that the consent be freely given on a voluntary basis (the requirement that it be freely given is particularly difficult for employees; sec. 26 German Federal Data Protection Act (BDSG)).
  
• Under the GDPR, sector-specific codes of conduct which have to be approved and also certifications are conceivable; in practice, however, these have been virtually insignificant to date.
  

Through the current ruling of the European Court of Justice, the two tools for transferring data to the USA that are the least complicated and most frequently used in practice, notably the Privacy Shield and the standard contractual clauses, have been practically eliminated. Although the standard contractual clauses can still be used formally as the basis for transferring data, the court does impose considerable verification obligations on the companies. For instance, the ECJ establishes that it is incumbent above all on the data controller and/or its processor to verify in every single case – if appropriate in conjunction with the recipient of the transfer – whether the law of the third country of destination guarantees adequate protection, in accordance with the law of the European Union, to the personal data transferred on the basis of standard data protection clauses and whether, in case of need, even more guarantees have to be provided than those required under the clauses. If this protection cannot be afforded by such additional guarantees either – as has to be assumed in the case of the USA according to the ECJ ruling – then the legally effective transfer of personal data to this third country is not possible.

Another important correlation also has to be taken into account. Although the relevant ruling of the European Court of Justice is merely concerned with the transfer between the European Union and the USA, and not therefore with the transfer of data to any other third countries, such as India, China or Russia, the judgment nonetheless also indirectly impacts the transfer of data to these third countries. The ECJ did not mention these countries, but even so this begs the question here too as to whether transferring data to these third countries is possible at all. The judgment imposes difficult verification obligations on the data exporter which it is hardly able to fulfil without assistance as they involve an in-depth understanding of the law of the relevant recipient country.

Companies are clearly being left entirely to their own devices and cannot currently rely on receiving any support from government authorities or from the European Union. The EU Commission was reportedly already prepared for the negative judgment. The Commission advises, that discussions are to be recommenced with the US administration in order to establish mechanisms for transferring data with legal certainty. Experience shows, however, that negotiations sometimes take too long for businesses. The negotiations took six months in 2015 already, when the Safe Harbour Agreement, the predecessor to the Privacy Shield, was repealed by the ECJ (ECJ of 06.10.2015 – C-362/14). Faster and clearer progress appears rather unlikely in the current political climate.

The German Association for Data Protection and Data Security (GDD) therefore demands that the EU supervisory authorities initially refrain from imposing any sanctions on the export of personal data to ensure that companies have sufficient time to evaluate their data flows. In addition, the GDD requests that the European Data Protection Board draws up indications of the criteria that will apply to discontinuing the export of data to a third country and that it en-deavours to prevent national supervisory authorities from acting unilaterally.

What action has to be taken?

Companies are advised to take the following measures:

a) Primarily, to examine whether it is possible to avoid transferring data to the USA and to replace existing contracts by corresponding agreements with companies domiciled in the European Union; in particular, to ensure that the locations of the servers and computer centres used are in the European Union. Companies should at least take preparatory action so as to be ready and prepared for audits by the supervisory authorities. The use of service providers with US subcontractors should also be stopped.
b) All the contracts (order processing, joint data processing) have to be revised. This also applies to Data Protection Notices and to Data Privacy Statements.
c) EU standard contractual clauses should be agreed as a precaution unless this has already been done. In particular, all recipients in the USA must be asked how the EU data protection standard can be ensured. If their responses are negative, then there should be an immediate changeover, however. If it transpires that the recipient is not in a position to ensure the data protection standard, the data transfer can be suspended. Companies also have to examine whether rescinding or terminating the contract is conceivable. In this case, all the data have to be returned or destroyed. Claiming damages can also be given consideration in individual cases. It is possible that there might be a reporting obligation to the supervisory authorities.
d) If at all possible, consents are to be sought from the data subjects. Here, informing the data subjects in a transparent and comprehensive manner is of particular importance, as is ensuring that consent is given freely. It must always be borne in mind, however, that the consent is revocable. This means that once consent has been withdrawn, data processing has to be discontinued unless there is another legal basis permitting further processing.

What consequences do companies face if they improperly transfer data to the USA or to any other third country?

Problems for companies loom from the supervisory authorities, from data subjects and from competitors.

• The controller has to anticipate action being taken by the data protection supervisory authorities. This can range from warnings, imposing fines (up to 4% of a company’s annual worldwide sales) through to prohibiting data transmission. The requirement for the supervisory authorities to act is explicitly mentioned in the ruling of the European Court of Justice.
  
• Controllers have to anticipate receiving warnings from data subjects in which they are required to cease and desist and to pay compensation. In such cases, the costs of the warning have to be refunded and any contractual penalties have to be paid and also administrative fines in the event of a renewed offence.
  
• Competitors and especially consumer protection organisations can also issue respective warnings. Whether or not this is possible on the basis of competition law is still a contentious issue. The courts in Germany disagree on this to date (see latterly OLG (Court of Appeal) Stuttgart, judgment of 27.02.2020 – 2 U 257/19) and the German High Court (BGH) has not yet given a ruling on the subject. However, particularly in the light of the most recent case law, the risk of competitors or consumer protection organisations pre-vailing is by no means slight.
  

Conclusion

If at all possible, companies should refrain from transferring data to the United States and instead they should select companies with registered offices in the EU or EEA, especially European service providers and sub-contractors.