The long-awaited decision of the European Court of Justice on the EU-US Privacy Shield has turned out as expected: the EU-US Privacy Shield agreement does not provide an adequate level of data protection. Since the EU-US Privacy Shield was established, we have advised in this direction and advised our clients not to base their data processing on the EU-US Privacy Shield.
Background
The GDPR only recognizes a uniform level of data protection within the EU. If personal data leaves the EU, for example because the cloud used is located on US servers, a level of data protection must be ensured there that meets the standards of the GDPR.
The EU Commission has the right to determine, through the GDPR, that the legal regulations of another state fulfill this. However, the European Court of Justice (ECJ) has the right to review this adequacy decision.
EU-US Privacy Shield
The EU has concluded the EU-US Privacy Shield Agreement with the US and the EU Commission had determined that if US companies comply with the terms of this agreement, the data may be processed in the US. US companies had to register specifically for this.
Further contractual agreements between the US company and the EU company were no longer required. The system was therefore particularly easy to use.
From the outset, there was criticism that the EU-US Privacy Shield did not effectively protect data from US government access, that there were insufficient legal remedies, and that the EU-US Privacy Shield was far too complex in general, so that EU citizens could not effectively obtain legal protection in the United States. This criticism was based on the forerunner to the EU-US Privacy Shield Agreement, the Safe Harbor Agreement between the EU and the US, which the ECJ had already declared invalid a few years ago.
ECJ decision
In its ruling of July 16, 2020, the ECJ has now taken up the criticism. The reasons for the judgment are not yet generally available, but the press release already provides information on the main reasons.
The ECJ's criticism is based, first of all, on the fact that the American legislation on surveillance programs is not limited to what is strictly necessary. They thus do not meet EU ideas of proportionality. The relevant US provisions concerning certain surveillance programs in no way indicate that the authorization to carry out those programs contained therein is subject to any restrictions or that the EU data contains any safeguards.
The Court adds that even where the rules contain requirements, they do not confer any rights on data subjects that can be enforced in court against US public authorities. The EU-US Privacy Shield's ombudsman mechanism does not provide US data subjects with legal recourse to enforce guarantees equivalent to those in the EU. There is a lack of both guarantees of the ombudsman's independence and US mechanisms that would allow the ombudsman to make binding decisions vis-à-vis US intelligence agencies.
The adequacy decision on the EU-US Privacy Shield has therefore been declared invalid. The EU-US Privacy Shield can therefore no longer be a legal basis for data transfers from the EU to the US. A transitional period has not been granted, so that such data transfers without a sufficient legal basis must be stopped immediately, at the latest, unless another legal basis can be found.
What happens next?
The ECJ also had to decide on the so-called standard contractual clauses.
The EU began publishing model contracts years ago. These templates provide written contracts between EU companies and non-EU companies regarding the data processing of the non-EU company. The contracts may only be completed in some places, but may not be modified in any other way. With the standard contractual clauses, the EU company instructs the non-EU company to carry out the data processing in a certain way, so that the European level of data protection is also guaranteed when the data is processed outside the EU.
The adequacy of the level of data protection, which is achieved by means of the standard contractual clauses, has been approved by the ECJ. Many companies that currently have data processed in the US will want to rely on this.
But
The ECJ also emphasized that the standard contractual clauses must be taken seriously. The clauses stipulate that EU and non-EU companies must check in advance whether the required level of protection is maintained in the third country in question, and that the recipient must notify the EU company if if it is unable to comply with the standard contractual clauses, whereupon the data exporter must suspend the data transfer and/or withdraw from the contract with the recipient.
It seems questionable how, in view of US legislation, the companies involved can be expected to determine a sufficient level of protection in the US in the face of insufficiently restricted intelligence rights, which led to the invalidity of the EU-US Privacy Shield.
Thus, it seems that the only options for justifying data processing in the United States will be those set out in Article 49 of the GDPR, as long as the United States of America does not improve its data protection laws.
Addendum
The judgment is now available.
The statements represent initial information that was current for the law applicable in Germany at the time of initial publication. The legal situation may have changed since then. Furthermore, the information provided cannot replace individual advice on a specific matter. Please contact us for this purpose.