EU Court cuts Privacy Shield and blocks data transfers to the US

Privacy Shield, the data exchange agreement between the EU and the US, is off the table. According to the Court it is contrary to the GDPR. The ‘standard contractual clauses’ will continue to exist, but surveillance in the US also makes that instrument for data transfers a difficult story.

The European Court of Justice has ruled that the transfer of personal data to a third country must be accompanied by a level of protection that is essentially comparable to the level of protection in the GDPR. The judges consider that in assessing this, not only the contractual arrangements between the data exporter and the recipient should be considered, but also the relevant aspects of that third country’s legal system. Regulatory authorities are obliged to prevent the transfer of personal data to a third country if they believe that adequate data protection cannot be achieved.

Next, the Court looks specifically at the legality of the standard contractual clauses, or model contracts. This is an EU-approved tool that allows US companies to transfer data from EU citizens to the US for storage. They are in fact contracts between two parties, whereby a processor undertakes to handle the personal data in a certain way. According to the Court, the legality of this instrument depends on the circumstances on a case-by-case basis, specifically whether there are effective mechanisms to ensure that the level of data protection desired by the EU is met. According to the Court, that is the case and the transfer can be suspended if the conditions are violated.

In light of the requirements of the GDPR, the Court also looked at the adequacy decision with regard to the US, which underpins Privacy Shield. These kinds of decisions look at whether a country can offer the same level of data protection as the EU. The Privacy Shield Agreement replaced the Safe Harbor previously banned by the EU Court. The Court specifically mentions the “restrictions on the protection of personal data arising from US law on access to and use of that data by US authorities.” However, according to the judge, this is not in line with the requirements of EU law. The Court specifically mentions US surveillance programs and considers them disproportionate, as they go beyond what is strictly necessary. European citizens would also have no rights that can be enforced in a lawsuit against the American authorities. The Court considers the ombudsman mechanism established by the European Commission, which is part of Privacy Shield, to be insufficient. Therefore, this framework has been declared null and void.

Max Schrems is the Austrian who is behind this case and was also responsible for the previous case in which Safe Harbor was declared null and void. He is pleased with the current judgment. “This is a major blow to the Irish Data Protection Commission and Facebook. It is clear that the US will have to make significant changes to its surveillance laws if US companies are to play a major role in the European market,” said Schrems. He is specifically referring to Facebook and the Irish regulator. This case and the similar previous Safe Harbor case have their roots in Schrem’s objections to the way Facebook, in his view, violated European privacy rules, and in his frustration at the Irish watchdog’s lack of action. Schrems previously referred to Edward Snowden’s revelations and that the US State has extensive access to user data.

Schrems makes it clear that after the current judgment of the Court of Justice, the standard contractual clauses can only be used if there are no conflicting regulations. The US legislation that allows surveillance and can therefore be at odds with the protection of personal data of non-Americans is an important stumbling block in this regard. National regulators must intervene if the companies involved in the SCC do not take action to breach data protection. That means, for example, that the Irish DPC must intervene if Facebook does not trade. Facebook has its European office in Ireland, making the DPC the relevant regulatory body here.

According to MEP Sophie in ‘t Veld, this current judgment of the Court of Justice means that companies can in fact no longer legally transfer personal data from the EU to the US, for example to store them there on servers. “The ruling is a tragedy for companies, but is entirely due to the European Commission’s lap dog behavior with the US government. The European Commission has never dared to hit hard in Washington DC for strict privacy guarantees for European citizens. and allows US mass surveillance of European citizens practically openly. “

This current legal situation does not mean that e-mails cannot be sent from the EU to the US, or that nothing can be done at all. After all, in accordance with Article 49 of the GDPR, the transfer of data is still possible if it is ‘necessary’, for example if the data subject has explicitly consented to the proposed transfer and is aware of the risks. It is also possible if the transfer is necessary for important reasons of public interest or if it is necessary to fulfill a contract. According to Schrems, this still provides a solid basis for most transactions with the US. He argues that that country now only has no special status and therefore no longer has special access to EU data, which means that the normal situation of the EU vis-à-vis third countries is restored. The Court of Justice also states that the judgment does not create a legal vacuum.

Incidentally, companies have increasingly turned away from the Privacy Shield construction and associated certifications, because the downing of Safe Harbor already showed that the legal basis could suddenly disappear. In fact, Sccs accomplish the same thing by allowing companies to create a legal ground for the transfer of personal data through their own contracts. The idea is that all those own contracts more or less stand on their own and therefore cannot be overthrown so quickly.

The SCC’s route has remained intact after the current Court of Justice ruling, although it will be difficult or practically impossible to continue to use this tool in data transfers from the EU to the US, given the surveillance regulations there. European companies using this tool may need to review their outsourcing policies if they have US companies process personal data. US recipients will now likely have to similarly ascertain whether they are subject to obligations arising from relevant US surveillance laws. If so, they won’t be able to use the SCCs.

US Secretary of State Wilbur Ross said in a response that his department is deeply disappointed that the Court of Justice has overturned the Privacy Shield adequacy decision. He says the ruling is currently being studied to fully understand its practical implications. Ross also emphasizes that the data transfers are essential for companies and not just those from the tech sector. According to him, there are currently more than 5,300 Privacy Shield participants. The minister indicates that the US Department of Commerce will continue to apply the Privacy Shield program; he says the Court of Justice ruling does not relieve participating companies of their Privacy Shield obligations.