In its decision on the EU-US Privacy Shield, as with the previous Safe Harbor agreement, the ECJ found that it cannot guarantee an adequate level of data protection. The court thus removes the legal basis for a large part of the transatlantic data transfer. European companies are now forced to review all of their data transfer agreements to the United States and, if necessary, put them on a different legal footing.

Background to the decision
The transfer of personal data to companies in the United States of America has become commonplace, not least due to the omnipresent use of cloud services. The use of the services of large American cloud providers has also become an integral part of the operational processes of many European companies. But the European General Data Protection Regulation imposes strict requirements on such data transfers to companies in countries outside the EU or EEA. Thus, it is necessary to ensure that the level of data protection in the country of the recipient company is essentially equivalent to the level of data protection in Europe. This adequacy of the level of data protection can be ensured through various mechanisms. One of these mechanisms – probably one of the most frequently used – is the adequacy decision negotiated and concluded in 2016 between Europe and the United States as the so-called EU-US Privacy Shield (“EU-US Privacy Shield”). In addition, other mechanisms are available, such as the so-called EU standard contractual clauses (“standard contractual clauses”) or binding corporate data protection rules (“binding corporate rules”).

Austrian data protection activist Max Schrems has filed a lawsuit against the EU-US Privacy Shield on the grounds that the Privacy Shield does not provide sufficient protection for European data subjects, in particular due to the far-reaching powers of American intelligence agencies, and accordingly cannot ensure an adequate level of data protection in line with European data protection requirements. The European Court of Justice (“ECJ”) has now ruled on the EU-US Privacy Shield and the EU standard contractual clauses.

The ECJ’s decision and its supporting reasons
In its “Schrems II” decision of July 16, 2020, the ECJ found that EU Commission Decision 2016/1250 of July 12, 2016, which established the “EU-US Privacy Shield” as the successor to the Safe Harbor Agreement, was also invalid. This decision of the ECJ has very far-reaching consequences, as from now on the transfer of personal data from European companies to US companies can no longer be based on the frequently used legal basis. In addition, the ECJ also ruled that the EU standard contractual clauses were not invalid, at least on the basis of the factual situation and arguments presented in these proceedings, and could in principle continue to be used as a legal basis.

The ECJ based its decision on the invalidity of the EU-US Privacy Shield essentially on the following reasons:

• In the opinion of the ECJ, the EU Commission’s decision on the adequacy of the level of protection is flawed for several reasons and must therefore be overturned. In particular, the ECJ now considers the questions of proportionality and certainty of the possibilities of state access to data of European citizens as well as the possibilities of an effective legal remedy for European citizens against access by U.S. government agencies to be insufficient, contrary to the view of the Commission.
• The ECJ first states that the EU-US Privacy Shield itself already contains limitations on the protection of the rights and freedoms of data subjects to the extent that a limitation is necessary for the national security, public interest or law enforcement interests of the United States.
• The ECJ goes on to say that there is in fact a lack of limitation to a necessary degree, since on the one hand neither clear conditions for access to the data of European data subjects nor minimum standards for the protection of rights and freedoms in the event of access are anchored in the U.S. security laws. On the other hand, the protection of individual persons is not adequately regulated, especially for surveillance measures of the intelligence services, such as the programs PRISM or UP-STREAM, which became known through Edward Snowden, but rather these programs are only approved in a general way based on an annual review of the overall program. However, according to the ECJ, this is not an effective limitation of interference with rights and freedoms to a necessary and proportionate level.
• As a further fundamental reason for its decision, the ECJ states that European persons affected by such measures do not have sufficient legal remedies at their disposal. In particular, the ombudsman provided for by the EU-US Privacy Shield does not offer sufficient legal protection in terms of European fundamental rights.
• The ECJ first notes that already in the EU-US Privacy Shield itself, the Ombudsman is deprived of reviewing some measures in which electronic surveillance for national security is conducted by US intelligence agencies. This lack of jurisdiction in itself makes it impossible to assume a level of legal protection that satisfies the requirements of the European Charter.
• Finally, the ECJ states that the ombudsman provided for under the EU-US Privacy Shield is neither independent nor able to make decisions that would be binding on the accessing government entity. For example, while the EU-US Privacy Shield describes the Ombudsman as independent of the intelligence community, he is appointed by the U.S. Secretary of State, is a member of the U.S. State Department, and can be removed from his position without any special protections. And ultimately, according to the ECJ, there was a lack of any discernible legal assurance that decisions of the ombudsman would be binding and also enforceable against other state bodies. There are also no discernible political commitments on which European data subjects could rely.

Consequences of the Decision and Recommendations for Action
The decision issued for the above main reasons declares the EU-US Privacy Shield invalid with immediate effect. The ECJ concludes that this immediate effect of the decision does not create an unreasonable legal vacuum, as the GDPR continues to provide for other ways (“safeguards”) to allow the transfer of data to the United States.

The consequences of the decision are far-reaching and for many companies a bitter result of a process that was, however, expected by many experts: Personal data of EU citizens can now no longer be lawfully transferred to the USA on the basis of the EU-US Privacy Shield. There is also no official transition period. Therefore, haste is required. First of all, it is necessary to check in the companies concerned which guarantees for data transfer are currently being used.

If data transfers are currently based on the EU-US Privacy Shield, data processing should be stopped immediately to avoid fines. It is to be expected that the supervisory authorities will also begin to review the legality of the data transfers in the near future.

In a second step, the data processing operations would have to be appropriately secured by another suitable guarantee. In the short term, standard contractual clauses are certainly the method of choice here – albeit with the risks also highlighted in the ECJ’s decision. This is because, although the standard contractual clauses are still valid after the ECJ ruling, there is also a risk here for data subjects that public bodies will interfere with the rights and freedoms of data subjects by accessing personal data. In individual cases, the ECJ states, the EU company responsible for data processing which transfers the personal data to a state outside the EU or the EEA (third country) as well as the company receiving the data in the third country are obliged to check (e.g. on the basis of regulations on public security, defense and state security – in particular with regard to sufficient protective measures for EU citizens) and to ensure that the required level of protection is complied with. If this is not the case, the data transfer must not take place.

However, and this is the difference to the EU-US Privacy Shield, the standard contractual clauses do not contain all guarantees for an adequate level of protection to a third country – the protection mechanisms of the standard contractual clauses are in principle extendable. Therefore, in the case of the application of the standard contractual clauses, it is necessary to check in each individual case whether the agreements made in this way can actually be complied with; if necessary, additional guarantees must be created by extending the standard contractual clauses – insofar as this is possible.

How this decision of the ECJ will be implemented in practice in the future remains largely open at present. This is because the person responsible will regularly only be able to assess the risks to rights and freedoms posed by the specific foreign legal system himself with considerable difficulty – also and especially in comparison with European law. It therefore remains questionable whether, in order to answer this question, the processor (who is likely to be aware of his own legal system) will be held more accountable or whether the European Supervisory Authorities will publish country-specific recommendations to supplement the standard contractual clauses.
In the medium to long term, Binding Corporate Rules – in addition to the legal bases otherwise considered, such as consent or for the purpose of contract performance – would be a suitable and secure way to put data processing back on a secure footing. However, their implementation is complex and experience shows that the process takes time. Finally, considerations will also need to be made as to where data processing can be dispensed with altogether, whether data processing can be dispensed with in third countries, and whether data processing can be relocated to the EU/EEA if necessary.

Incidentally, it should not go unmentioned that the current decision of the ECJ certainly also has an indicative effect for other adequacy decisions. It remains to be seen whether and how the regulatory authorities will position themselves on the topic as a whole in the short term.

Summary

• ECJ: Commission’s adequacy decision on the EU-US Privacy Shield is invalid.
• Transatlantic data transfers based solely on this decision no longer have a legal basis.
• European companies must convert all data transfer agreements to the United States based on the EU-US Privacy Shield adequacy decision.
• Standard contractual clauses as a lifeline – along with Binding Corporate Rules for intra-group data transfers – are the only remaining option, but after the ECJ ruling this is also associated with risks, not only with regard to the USA.