Decision of the CJEU dated 16 July 2020, Rs C 311/18
On 16 July 2020 the European Court of Justice (CJEU) rendered another fundamental decision on the legitimacy of international transfers of personal data (Rs C 311/18):
- What is it about?
In 2013 Maximilian Schrems initiated proceedings against Facebook in which the legitimacy of transfers of personal data from Europe to the USA was contested. In 2015 the CJEU declared the "Safe Harbor" regime unlawful, which covered such data transfers at the that (Rs C-362/14). In response to that ruling Europe and the USA established a new "Privacy Shield" regime for such data transfers. In the continued proceedings the CJEU has again assessed the legitimacy of transatlantic personal data transfers.
- How did the CJEU decide?
In its decision dated 16 July 2020 (Rs C-311/18) the CJEU invalidated the "Privacy Shield". In summary the CJEU deems the "Privacy Shield" not sufficient because it cannot prevent disproportional data access by US-authorities since US law by itself has no sufficient proportionality restraints. As the "Privacy Shield" does not grant compensating safeguards to Europeans and also because it does not grant actionable rights against such US-authorities the CJEU deemed the "Privacy Shield" invalid. Also, a newly established ombudsman system under the "Privacy Shield" can, in the view of the CJEU, not remediate this deficit.
- Was it all about "Privacy Shield"?
The CJEU ruled on the legitimacy of Standard Contractual Clauses as well. Such Clauses can be used as an alternative to the "Privacy Shield". Having said that, personal data can legitimately be transferred to a US-based data recipient beyond the "Privacy Shield" regime if that recipient has concluded a specific contract (the Standard Contractual Clauses). In its decision the CJEU has indeed taken into consideration that the Standard Contractual Clauses, by their contractual nature, cannot enfold binding impact on US authorities. However, the CJEU still affirmed the legitimacy of Standard Contractual Clauses because the Court sees appropriate mechanisms in those Clauses that allow for an immediate interrupt of the data transfer as soon as the data receiving US company cannot properly comply with the Standard Contractual Clauses any more. Yet, the CJEU requires both parties, i.e. the data exporting European company as well as the data importing US company, to assess prior to the envisaged data transfer whether the data importing US company will be able to comply with the duties arising from the Standard Contractual Clauses. Both parties also have to ensure that the data receiving US company informs the data exporting European company anytime of its inability to comply with the Standard Contractual Clauses which shall make the latter suspend its data transfers in such case.
- What does this mean for me?
The impact of that decision is only partially new. The invalidity of the "Privacy Shield" may trigger reactions similar to those that ensued as a result of the invalidity of "Safe Harbor". European companies, when sharing personal data with US-partners, will again have the option to switch to Standard Contractual Clauses, as many companies did when "Safe Harbor" was skipped. The CJEU's affirmation of the Standard Contractual Clauses may give additional comfort in that respect. A new aspect, however, is the CJEU's postulate that the companies will now have to more comprehensively align themselves on whether the Standard Contractual Clauses can effectively be honored by the US partner as this has been done in recent practice.
- How should I react?
1. Check whether you are transferring personal data to US companies (note that this is the case in almost all commonly used cloud solutions).
2. Check whether your US partner is a "Privacy Shield" certified company: https://www.privacyshield.gov/list
3. If so, contact your partner and check the option to switch to Standard Contractual Clauses. Note that the CJEU asks you and your US-partner to align on whether your US-partner can sufficiently honor the Standard Contractual Clauses and keep records on this alignment.
4. Check the general terms of your company's international personal data transfers and whether you have adequate data protection safeguards in place to cover those transfers.
5. Keep monitoring the developments on the "Privacy Shield".
By Gunther Leissler, Partner, Schoenherr