In its decision on the EU-US Privacy Shield, as with the previous Safe Harbor agreement, the ECJ found that it cannot guarantee an adequate level of data protection. The court thus removes the legal basis for a large part of the transatlantic data transfer. European companies are now forced to review all of their data transfer agreements to the United States and, if necessary, put them on a different legal footing.
Background to the decision
The transfer of personal data to companies in the United States of America has become commonplace, not least due to the omnipresent use of cloud services. The use of the services of large American cloud providers has also become an integral part of the operational processes of many European companies. But the European General Data Protection Regulation imposes strict requirements on such data transfers to companies in countries outside the EU or EEA. Thus, it is necessary to ensure that the level of data protection in the country of the recipient company is essentially equivalent to the level of data protection in Europe. This adequacy of the level of data protection can be ensured through various mechanisms. One of these mechanisms – probably one of the most frequently used – is the adequacy decision negotiated and concluded in 2016 between Europe and the United States as the so-called EU-US Privacy Shield (“EU-US Privacy Shield”). In addition, other mechanisms are available, such as the so-called EU standard contractual clauses (“standard contractual clauses”) or binding corporate data protection rules (“binding corporate rules”).
Austrian data protection activist Max Schrems has filed a lawsuit against the EU-US Privacy Shield on the grounds that the Privacy Shield does not provide sufficient protection for European data subjects, in particular due to the far-reaching powers of American intelligence agencies, and accordingly cannot ensure an adequate level of data protection in line with European data protection requirements. The European Court of Justice (“ECJ”) has now ruled on the EU-US Privacy Shield and the EU standard contractual clauses.
The ECJ’s decision and its supporting reasons
In its “Schrems II” decision of July 16, 2020, the ECJ found that EU Commission Decision 2016/1250 of July 12, 2016, which established the “EU-US Privacy Shield” as the successor to the Safe Harbor Agreement, was also invalid. This decision of the ECJ has very far-reaching consequences, as from now on the transfer of personal data from European companies to US companies can no longer be based on the frequently used legal basis. In addition, the ECJ also ruled that the EU standard contractual clauses were not invalid, at least on the basis of the factual situation and arguments presented in these proceedings, and could in principle continue to be used as a legal basis.
The ECJ based its decision on the invalidity of the EU-US Privacy Shield essentially on the following reasons:
Consequences of the Decision and Recommendations for Action
The decision issued for the above main reasons declares the EU-US Privacy Shield invalid with immediate effect. The ECJ concludes that this immediate effect of the decision does not create an unreasonable legal vacuum, as the GDPR continues to provide for other ways (“safeguards”) to allow the transfer of data to the United States.
The consequences of the decision are far-reaching and for many companies a bitter result of a process that was, however, expected by many experts: Personal data of EU citizens can now no longer be lawfully transferred to the USA on the basis of the EU-US Privacy Shield. There is also no official transition period. Therefore, haste is required. First of all, it is necessary to check in the companies concerned which guarantees for data transfer are currently being used.
If data transfers are currently based on the EU-US Privacy Shield, data processing should be stopped immediately to avoid fines. It is to be expected that the supervisory authorities will also begin to review the legality of the data transfers in the near future.
In a second step, the data processing operations would have to be appropriately secured by another suitable guarantee. In the short term, standard contractual clauses are certainly the method of choice here – albeit with the risks also highlighted in the ECJ’s decision. This is because, although the standard contractual clauses are still valid after the ECJ ruling, there is also a risk here for data subjects that public bodies will interfere with the rights and freedoms of data subjects by accessing personal data. In individual cases, the ECJ states, the EU company responsible for data processing which transfers the personal data to a state outside the EU or the EEA (third country) as well as the company receiving the data in the third country are obliged to check (e.g. on the basis of regulations on public security, defense and state security – in particular with regard to sufficient protective measures for EU citizens) and to ensure that the required level of protection is complied with. If this is not the case, the data transfer must not take place.
However, and this is the difference to the EU-US Privacy Shield, the standard contractual clauses do not contain all guarantees for an adequate level of protection to a third country – the protection mechanisms of the standard contractual clauses are in principle extendable. Therefore, in the case of the application of the standard contractual clauses, it is necessary to check in each individual case whether the agreements made in this way can actually be complied with; if necessary, additional guarantees must be created by extending the standard contractual clauses – insofar as this is possible.
How this decision of the ECJ will be implemented in practice in the future remains largely open at present. This is because the person responsible will regularly only be able to assess the risks to rights and freedoms posed by the specific foreign legal system himself with considerable difficulty – also and especially in comparison with European law. It therefore remains questionable whether, in order to answer this question, the processor (who is likely to be aware of his own legal system) will be held more accountable or whether the European Supervisory Authorities will publish country-specific recommendations to supplement the standard contractual clauses.
In the medium to long term, Binding Corporate Rules – in addition to the legal bases otherwise considered, such as consent or for the purpose of contract performance – would be a suitable and secure way to put data processing back on a secure footing. However, their implementation is complex and experience shows that the process takes time. Finally, considerations will also need to be made as to where data processing can be dispensed with altogether, whether data processing can be dispensed with in third countries, and whether data processing can be relocated to the EU/EEA if necessary.
Incidentally, it should not go unmentioned that the current decision of the ECJ certainly also has an indicative effect for other adequacy decisions. It remains to be seen whether and how the regulatory authorities will position themselves on the topic as a whole in the short term.
Summary
© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit https://home.kpmg/governance.
KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.