20. July 2020

Implications of the ECJ ruling regarding data transfers to the US

Mainz, July 20, 2020 – In its Judgment of July 16, 2020 , the ECJ ruled that the EU Commission decision on the adequacy of the “Privacy Shield” is invalid. The Privacy Shield Program therefore no longer offers legal security when transferring personal data to the USA. With regard to the use of the so-called “standard contractual clauses”, the ECJ also makes high demands in individual cases. We explain the background and key messages of the decision and what they mean in practice in your company.

What is the Privacy Shield?

The Privacy Shield program was developed by the U.S. Department of Commerce, the European Commission and the Swiss Federal Administration. The ECJ had already in his Judgment of October 6, 2015 annulled the previously valid “Safe Harbor” rules. The new “Privacy Shield Framework” was intended to fill the gap created this way. Registered companies can commit to compliance with the Privacy Shield regulations. The set of rules then provides an enforceable right for the data subjects under US law. This mechanism was intended to help companies to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in day-to-day business. The program continues to be administered by the U.S. Department of Commerce, but no longer provides legal certainty regarding GDPR compliance after the July 16, 2020 ECJ ruling.

What are the standard contractual clauses?

Another alternative to the procedure for data transfer in so-called “third countries” outside the EU (not only the USA) is to use the so-called “standard contractual clauses” based on the Decision (EU) 2010/87 of the EU Commission. If the data exporter and the data importer conclude a contract using the standard clauses of the EU Commission (Art. 46 Para. 2 lit. c GDPR), the data transfer based on this is generally permitted within the framework of the GDPR without further approval by the supervisory authority.

What did the ECJ decide?

  • The ECJ emphasized that when carrying out international data transfers equivalent level of protection must be guaranteed. In addition to the contractual regulations agreed between the data exporter and the recipient in the third country, the legal legal framework in the third country is also crucial, especially with regard to the authorities’ access options to the transmitted data.
  • With regard to the rules from the Privacy Shield Program , the ECJ concludes that the guarantees and measures for the protection of personal data specified therein did not lead to an equivalent level of protection. The ECJ based this decision on the fact that the surveillance programs based on Section 702 of the “Foreign Intelligence Surveillance Act” (FISA) and the Executive Order 12333 are not limited to the absolutely necessary extent. On the other hand, the Privacy Shield would not offer sufficient legal protection options. With this reason, the ECJ declared the EU Commissions Privacy Shield decision invalid.
  • When examining the standard contractual clauses of the EU Commission , the ECJ came to the conclusion that they were generally effective. According to the ECJ’s assessment, these contain corresponding clauses that ensure in practice that the required level of protection is maintained. It should be noted here that the recipient must notify the data exporter if he cannot comply with the contractual guarantees. In this case, data transmission must be suspended immediately.

What does this mean for my company?

  • For business processes in which personal data were previously  transferred to the USA only on the basis of the Privacy Shield, companies have to switch to other guarantees due to the ineffectiveness of the Privacy Shield:
    • Agreement of the standard contractual clauses: The existing Standard contractual clauses should be agreed to with the US contract partner. The major US service providers such as Microsoft, Google and Amazon continue to offer the conclusion of the standard contractual clauses for corporate customers.
    • Exemptions: Individual data transfers may also be based on one of the exceptional cases according to Art. 49 GDPR. It should be noted that the exceptional cases listed there are generally to be interpreted narrowly. In addition, they are not transferable to regular and recurring data transfers (as with classic IT outsourcing, for example with cloud storage).
  • The comments expected soon from the local supervisory authorities responsible for the company should be taken into account. The data protection officer of the state of Rhineland-Palatinate, for example, already has one Opinion published on July 16, 2020, which emphasizes the need for coordination between the supervisory authorities in order to achieve uniform application of the law.
  • In a Message of July 16, 2020 has confirmed the EU Commission to work on updated standard contractual clauses and on a political solution with the USA. These developments, as well as the progress of the main proceedings before the Irish High Court should be monitored.

 

Photo:

Business photo created by creditsonlyyou and natanaelginting – www.freepik.com