Privacy
Shield
invalid!
Privacy
Shield
invalid!
from
The transfer of personal data to the USA regularly takes place on the basis of the EU-US Privacy Shield or the so-called standard contractual clauses. Both legal bases were assessed by the European Court of Justice, with the result that data transfer to the USA is likely to become difficult in the future.
What is it about?
The background to this was a dispute with Facebook led by Austrian Max Schrems. Mr. Schrems wanted to prevent a transfer from Facebook Ireland to Facebook Inc. in the USA and lodged a complaint with the Irish supervisory authority.
These proceedings led to the ECJ ruling in October 2015, which declared the “Safe Harbor” agreement invalid.
As the successor to “Safe Harbor”, the EU-US Privacy Shield was then launched, which, among other things, aimed to improve the position of those affected through an ombudsman.
The ECJ has now had to deal with the case again. This time it concerned the question of the permissibility of data transfer based on the Privacy Shield and the standard contractual clauses.
Decision of the ECJ on the Privacy Shield
The ECJ declared with Judgment of 16.07.2020 – Ref. C-311/18 invalidates the Privacy Shield.
The reason for this is that, under US law, the US authorities are allowed to access and use personal data transferred from the EU to the US without having to meet requirements comparable to those in the EU. Surveillance programs based on US legislation are not limited to what is strictly necessary. The relevant provisions of certain surveillance programs in no way indicate that there are any restrictions on the authorization contained therein to carry out these programs. Nor is it apparent that there are any guarantees for the persons potentially covered by these programs who are not American citizens. Although there are requirements that the US authorities must comply with when implementing the surveillance programs in question, these cannot be enforced by the data subjects against the US authorities in court. The ombudsman introduced with the Privacy Shield Decision 2016/1250 is not sufficient to guarantee appropriate legal protection.
ECJ on standard contractual clauses
With regard to the standard contractual clauses, the ECJ confirms their validity, meaning that they can generally be used as a basis for transferring personal data to third countries.
However, in the context of such a transfer to a third country, the data subjects must enjoy a level of protection equivalent in substance to that guaranteed in the Union by the GDPR in the light of the Charter of Fundamental Rights of the European Union. When assessing this level of protection, both the contractual provisions between the respective parties and the relevant aspects of the legal system of that country, in particular with regard to any access by the authorities of the third country, must be taken into account.
In the absence of a valid adequacy decision by the EU Commission, the supervisory authorities are obliged to suspend or prohibit the transfer of personal data to a third country if they assume that the standard data protection clauses are not or cannot be complied with in that country.
The data exporter and the recipient of the transferred data must check in advance whether the required level of protection is complied with in the third country in question. The recipient of the transferred data may have to inform the exporter that it cannot comply with the standard protection clauses, whereupon the exporter must suspend the data transfer and/or withdraw from the contract with the recipient.
Conclusion
After today’s ruling by the ECJ, it hardly seems possible to transfer personal data in compliance with data protection regulations. As expected, the Privacy Shield no longer provides a legal basis. However, the standard contractual clauses are also no longer likely to be a sufficient basis in view of the ECJ’s statements on the USA, as the ECJ has essentially found that the standard contractual clauses cannot be complied with in the USA. It remains to be seen how the supervisory authorities will position themselves in this regard. Today’s press release from the Hamburg Commissioner for Data Protection and Freedom of Information suggests that the supervisory authorities may take a strict approach here.
Incidentally, the companies are once again being passed the buck, as they must check in advance whether the required level of protection is complied with in the third country in question. For all companies that transfer personal data to the USA, there is an urgent need to adapt to the new situation, especially if the current transfer was only made on the basis of the Privacy Shield.
We are happy to
advise you about
Data protection!
