The Austrian data protectionist and lawyer Max Schrems is a warlike man. In a first lawsuit with Facebook before the ECJ in 2015 (ECJ, judgement of 6 October 2015, C-362/14 – Schrems I) he already brought down the “safe harbour” rules then applicable to the transfer of personal data between the EU and the USA. In a new case on behalf of the plaintiff, the ECJ recently jugded with immediate effect (ECJ, judgement of 16.07.2020, C-311/18 – Schrems II) that a successor instrument for the transfer of personal data from the EU to the USA, the EU-US Privacy Shield, does not constitute a valid legal basis for such data transfers either. The current decision has far-reaching implications, even beyond the Privacy Shield, with regard to the requirements for the transfer of personal data from the EU to third countries and substantially increases the risks and potential liability for those involved in the data transfer.
Even after the entry into force of the General Data Protection Regulation (GDPR; Regulation (EU) 2016/679), the transfer of personal data to a country outside the EU or the EEA is only permitted to a limited extent and under special conditions, Art. 44-49 GDPR. The reason for these restrictions is based on the assumption that within the EU a uniform and high level of data protection for natural persons is ensured through the uniform and consistent application of rules protecting the fundamental rights and freedom of natural persons with regard to the processing of personal data (see recital 10 of the GDPR regulation). A similar level of data protection should be achieved with regard to personal data transferred to third countries such as the USA, using certain tools laid down by law in the GDPR. Such tools include adequacy decisions by the EU Commission, Art. 45 GDPR, the existence of appropriate safeguards (“Binding Corporate Rules”), standard data protection clauses of the Commission, etc.), Art. 46 GDPR or certain exceptional cases (explicit consent of the data subject, data transfer for the performance of a contract with the data subject, etc.), Art. 49 DSGVO.
The most important tools for international data transfer in practice include the Commission’s standard data protection clauses, Art. 46 para. 2 c) DSGVO (https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=celex%3A32010D0087) and – to date – the Privacy Shield, under which more than 5000 companies (including large companies such as Facebook) are certified in the USA.
In the current Schrems II case (ECJ op. cit., recital 52 et seq.), the plaintiff opposed the transfer of his personal data to the USA, in particular with the argument that Facebook Inc. was obliged to make his personal data available to US security authorities such as the National Security Agency (NSA) and, if necessary, the Federal Bureau of Investigation (FBI), which seems to be incompatible with Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union (Charter) (ECJ op. cit., recital 55).
The ECJ examined the extensive powers of NSA and FBI, in particular Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333 together with the Presidential Policy Directive 28 (PPD), and concluded that those rules do not guarantee a level of data protection equivalent to that provided for in Article 52(1), second sentence, of the Charter, even in compliance with the principle of proportionality and in particular in the absence of effective legal protection of the natural persons concerned (ECJ, loc. cit., recital 178 et seq.). For this reason, the ECJ declared the corresponding adequacy decision of the EU Commission on the EU-US Privacy Shield invalid with immediate effect (ECJ, loc. cit., marginal 198, 199).
The decision of the ECJ raises important questions about the relationship between EU data protection law, i.e. the GDPR, and the national security law of data importers in third countries concerned. This is because within the EU, the third sentence of Article 4(2) TEU provides that national security law remains the sole responsibility of the Member States and thus also takes precedence over the GDPR and the Charter. National security authorities in the Member States, such as the German Federal Intelligence Service (BND), do not have to submit to the standards of the DSGVO and the Charter in their operational activities, whereas US security services have to do so in the opinion of the ECJ, e.g. when checking social media accounts of international providers on servers in the USA which contain personal data of EU citizens.
In any case, when international data are transferred outside the EU, the conflict between the powers of national security authorities and the maintenance of an adequate level of protection of personal data from the EU is likely to persist. One might think of the Chinese video app TikTok, for example. The application of the ECJ’s post-31/12/202020 standards in the case of an unregulated Brexit should also be of interest for the handling of personal data of EU citizens in the UK, as UK national security services there are not subject to the requirements of UK data protection law and cooperate, inter alia, with US security services.
Another key question is whether the standards of review set by the ECJ’s Schrems II decision should also be applied to other tools to ensure an adequate level of data protection, in particular the Commission’s Standard Contractual Clauses (SCC). According to the wording of Art. 46 GDPR, it is not mentioned that the “appropriate safeguards” must ensure an adequate level of protection of the data transferred under the SCC. However, with the current decision (loc. cit., marginal 96), the ECJ applies a uniform standard of review based upon Art. 45 (2) DSGVO for all instruments of international data transfer under Chapter V of the DSGVO. The SCC only bind the Parties concerned, but not the competent security authorities. According to the European Court of Justice (loc. cit., marginal 132 f.), however, SCC must also ensure an equivalent level of protection. Accordingly it may prove necessary to amend existing guarantees contained in SCC. The effective conclusion of an SCC contract as such does not automatically make the transfer of data to non-European countries permissible. Rather, according to the ECJ, the parties must comprehensively examine whether an adequate level of data protection is maintained in the third country, taking into account the contractual obligations of the parties on the one hand, but also the legal system in the recipient state (ECJ, loc. cit., para. 134). According to the result of the examination, “additional measures” may be required to ensure an adequate level of data protection, taking into account the legal system of the third country.
For data transfers to the US based on SCC, clause 5(a) of the relevant Annex requires the data importer to inform the EU-based data controller without delay if it is unable to comply with its obligations under SCC due to legislation in its country. According to the SCC, both parties to the contract must ensure that they abide to the level of data protection required by EU law before transferring personal data to the third country (ECJ, op. cit., recital 142). If this is not the case, data already transferred must be returned or destroyed. According to clause 6 of the Annex to the SCC, data subjects are entitled to compensation in the event of infringements. Conversely, access by national security authorities to personal data in third-party systems within their territory is regularly subject to confidentiality obligations to the detriment of those third parties. The data importers concerned are thus in breach of either the confidentiality obligations imposed on them by the national security services or the provisions of the SCC. The conflicts between national security law on the one hand and Privacy Shield or SCC on the other are similar.
In this respect, if data transfers based on the SCC are not generally finished and related data deleted, “additional measures” by the parties concerned will be required. The ECJ does not explain in detail what is meant by this. It would be conceivable, for example, to encrypt the exported data, provided that the business model of the parties concerned is suitable. It might also be possible to move personal data from the EU to cloud servers within the EU. Additional strict contractual transparency and reporting obligations of the data importer could also be considered as “additional measures”. For international data transfers based on the relevant SCC for contract processing, additional contractual arrangements similar to the standard contracts for contract processing within the EU could be considered.
Any measures must be covered by a prior analysis and discussion with the data importer on the consequences of the removal of the Privacy Shield and the alternative solution, e.g. SCC, or, in the case of existing SCC, the recording and documentation of the data transfers, including an assessment of the level of data protection in the recipient countries. The results of the analysis and the assessment should be documented appropriately. The Schrems II decision creates an immediate need for action for affected companies.