The exchange of personal data between the European Union and the United States have suffered a further setback as the EU Court of Justice ruled against the Commission’s Privacy Shield Decision in the Schrems II case. The consequences could be far-reaching, and impact data flows not only to the United States. While the Court upheld the Commission’s decision regarding Standard Contractual Clauses (SCCs), any data flow to a third country must respect the GDPR principles and protect the fundamental freedoms of European citizens. The Court made clear that any jurisdiction, into which personal data are transferred, must offer an essentially equivalent level of personal data protection assessed considering both contractual clauses agreed between transferring parties and the relevant aspects of third country’s legal system. Consequently, not only big companies, such as Facebook, Microsoft, or Google, but also small and medium-sized businesses, must evaluate all data transfers to non-EU countries and assess the potential risks for the data in question.
The Privacy Shield, ruled invalid by the Court in Schrems II case, was a legal framework established in 2016 by the Commission Decision 2016/1250. In essence, the Privacy Shield has been based on the so-called “adequacy decision” under Art. 45 of the GDPR, establishing the United States as a country offering an adequate level of protection. Subsequently, personal data could flow easily between the EU and those companies in the US that were certified under this program. The certification required the companies to specify their identity and contact information, data processing activities, to designate an organization corporate officer and to accept commitments to dispute resolution and cooperation with EU data protection authorities.
The Data Protection Authorities (DPAs) could not take measures contrary to the adequacy decisions with the exception of reviewing individual complaints, such as in the case of Max Schrems, assessed by the Court.
The Commission’s decision regarding Standard Contractual Clauses, on the other hand, specifies contractual clauses, which, when included in a contract, enable the parties to transfer personal data to any country outside EU (as long as they are processed by the parties to the contract). While the SCCs Decision does take into consideration the legislation in any such non-EU country, the Court did not invalidate it but emphasized that the assessment of local legislation is the task of the parties to the contract in which the clauses are included.
By their very nature, such clauses can bind only the parties to the agreement. Therefore, parties themselves must determine the existence of appropriate safeguards of the adequate level of protection pursuant to Art 46 of the GDPR based on the contractual clauses and the relevant aspects of the third country’s legal system. Moreover, implementing the SCCs does not prevent DPAs from taking measures to suspend or end transfers of data to a specific third country. On the contrary, DPAs have a duty to act to suspend or prohibit such transfers of personal data if, in its view and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law cannot be ensured by other means.
Assessment of Adequacy
European personal data protection laws allow for transfers of personal data outside of member states’ territory on the condition of the adequate level of protection of personal data. The protection level must be confirmed either by the Commission’s assessment of the adequate level of protection (in a form of adequacy decision) or the controller’s or processor’s self-assessment of the appropriate safeguards.
Until recently, these two approaches have been viewed as distinct and separate. In case the transfer was based on a contract between the data exporter (in the EU) and data importer (outside EU), namely the contractual terms were assessed. The Court confirmed that this is still necessary, but added that overall legal environment of the jurisdiction where data are transferred to needs also to be assessed. And the assessment of the particular jurisdiction should take into account the criteria listed in Art 45 (2) of the GDPR, i.e. the criteria for adequacy decision. These two regimes are therefore getting much closer to each other than before.
From this perspective, the protection of personal data in the United States itself has been found inadequate as the US legislation (according to the assessment of the Court) allows for interferences to fundamental rights of European citizens without any means for judicial protection against such intrusions. Court explicitly referred to NSA’s surveillance programs such as PRISM and UPSTREAM that take primacy over European data protection rules.
In our opinion the approach of the Court ignores the gap between the data protection law and practice. While on the EU-level the GDPR was enacted, not all member states fulfill their duties under the regulation and the Charter of Fundamental Rights of the European Union. In some member states, the data protection rules lack enforcement. In other, the competencies of intelligence agencies are broad and with little oversight and redress. Some member states might even struggle with the rule of law itself.
One example among many is the law in the Czech Republic that imposes an obligation on telecommunication providers and ISP to store all operating and location data for 6 months and provide the law enforcement bodies and intelligence agencies on their request with data requested. That law is still in force even though the European Data Retention Directive has been repealed and despite that CJEU stated in the case C-203/15 of Tele2 Sverige that general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication violates Charter of Fundamental Rights of the European Union.
Considering that, it may seem unfair or possibly even discriminatory, to judge third countries by a legal standard not applied in the member states.
Data Transfers and Organizations
As the Privacy Shield framework is no longer available as a transfer basis, companies must resort to other legal grounds such as the SCCs. Nonetheless, the SCCs are subjected to the same criteria of adequacy, which must be assessed by the parties to the transfer. Thus, in the wake of the ruling, not only data transfers to the United States but also to other countries could prove problematic, as it clearly established the criteria of assessment and the DPAs’ duty to act.
The DPAs themselves, however, seem reluctant to enforce their duty under the ruling hastily except for the German DPAs. DPAs held a weekly meeting on Friday following the ruling and issued statement essentially promising further guidance in following days or weeks. Only the German DPAs publicly voiced their critical opinions on the ruling with Berlin DPA going as far as to explicitly recommended companies to transfer personal data stored in the United States back to Europe and issue a warning of possible sanctions.
Insofar, big corporations rely on the SCCs as the legal ground for data transfers, despite the ruling. Microsoft reassured its customers of the continuation of its services and data transfers between the EU and the United States. Similarly, Facebook continues its reliance on SCCs. Likewise, Google continues to refer to SCCs as a tool for data transfers for its G Suite or Google Cloud Platform.
The activity of DPAs will be decisive in the upcoming weeks and months. In the meantime, companies should map the situation and identify processes that rely on data transfers outside the EU (e.g., due to use cloud services). Next, the companies should check to what particular countries the data flow and what are the legal grounds for such transfer. In reliance on SCCs, companies must now assess whether the legislation of destination countries provides for adequate level of data protection, which at least for the United States seems currently doubtful at best.
By Michal Nulicek, Partner, and Filip Benes, Junior Lawyer, Rowan Legal