On 16 July 2020, the Court of Justice of the European Union (‘EUCJ’) ruled that the Privacy Shield does not comply with the General Data Protection Regulation (GDPR). This is important news for organizations that currently still base the transfer of personal data to organizations in the US on the Privacy Shield. Since this ruling, such transfer is no longer in accordance with the law. What is the Privacy Shield and what exactly does it regulate? How did the EUCJ come to this judgment? And what are the practical consequences?
Since the GDPR entered into force, the rules about the processing and protection of personal data have been further harmonized within the European Union (‘EU’). This means that when exchanging personal data, it should not matter whether an organization is based in the Netherlands or in another country of the EU. Outside the EU, privacy legislation often does not meet European standards. The transfer of personal data to parties outside the EU is therefore, in principle, not permitted. The GDPR contains rules on this matter. It follows from these rules, that the transfer of personal data to (organizations in) countries outside the EU is only permitted:
- on the basis of an adequacy decision;
This means that the European Commission has decided that an international organization or (specified sectors of) a country ensures an adequate level of protection. This also includes the Privacy Shield. In decision 2016/1250, the European Commission decided that the US offers an adequate level of protection. An important condition is that organizations must be certified under the Privacy Shield for the transfer to be permitted.
- when the EU Standard Contractual Clauses (also called model contracts) are being used;
These model contracts have been adopted by the European Commission, which considers the provisions of these contracts to provide sufficient guarantees for the protection of the data transferred internationally. The EUCJ has also ruled on the validity of these model contracts, as will be discussed below.
- if binding corporate rules have been drawn up;
Organizations can draw up internal binding corporate rules to legitimize the transfer of personal data within their own organization. These rules can only be used as a legal basis for the transfer in case the personal data are being transferred within a group of undertakings or enterprises.
- if a specific situations applies, as set out in article 49 GDPR.
The best-known situation included in this provision concerns the situation in which a data subject has given his or her explicit consent to the transfer. More about this later.
Prior to the judgment
Maximilian Schrems (‘Schrems’), a well-known privacy activist from Austria, has been the driving force behind this court case. This is his second victory on Facebook. In 2015, he already achieved that the Safe Harbor decision (more or less the predecessor of the Privacy Shield) was declared invalid by the EUCJ. Facebook then decided to use the so-called model contracts as a basis for the transfer of personal data of its users.
Following the invalidation of Safe Harbor, Schrems reformulated his earlier complaint to the Irish privacy supervisory authority. Schrems had requested this authority to take action against Facebook, because he believed that the transfer of his personal data by Facebook Ireland to Facebook Inc. (based in the US) should be prohibited. Since, in Schrems’ view, the US do not offer a sufficient level of protection. After this reformulation, the Irish supervisory authority considered that the handling of Schrems’ complaint mainly depended on the validity of the model contracts.
The Irish supervisory authority brought proceedings before the Irish High Court in order for it to refer questions to the EUCJ for a preliminary ruling. The High Court raised several questions on the validity of the model contracts. In addition, a question was also raised about the validity of the Privacy Shield, because Facebook had also been certified under that regime in the meantime.
Ruling of the EU Court of Justice
Privacy Shield invalid
The decision of the EUCJ is now known as a result of which the Privacy Shield is no longer valid. In summary, the EUCJ is of the opinion that the Privacy Shield does not ensure a level of protection of the transferred personal data that is essentially equivalent to the level of protection in the EU. Particular attention is drawn to the US surveillance programs, by means of which large amounts of data are being processed. Also data of European citizens.
The EUCJ held that this goes beyond what is strictly necessary, which is not permitted under the GDPR. Although requirements are imposed on the US authorities when implementing the surveillance programs in question, European citizens cannot take legal action against the US authorities if they consider their data to be unlawfully processed. This is not sufficiently addressed by the Ombudsman mechanism established by the European Commission, inter alia, because the Ombudsman is not empowered to adopt decisions that are binding on US intelligence services. Therefore, the EUCJ declares the adequacy decision on the Privacy Shield invalid.
Model contract valid
At the same time, the EUCJ considered that the model contract can be a valid mechanism for the transfer of personal data to countries outside the EU. This judgment relates specifically to the model contract drawn up for the controller and processor. Although the EUCJ did not specifically comment on the model contracts drawn up for international transfers between two controllers, the judgment does contain indications that these contracts remain valid as well.
The EUCJ did not only take the content of the provisions themselves into consideration, but also the legal system of the country to which the data are transferred. The EUCJ considers that the model contracts offer a level of protection that is essentially equivalent to the level of protection in the EU, inter alia because the contracts sufficiently guarantee that the transfer of personal data will be suspended or put to an end in the event of a breach or inability to comply with the the provision of those contracts.
In that regard, the EUCJ points out, in particular, that that the contract imposes an obligation on a data exporter and the recipient of the data to verify, prior to any transfer, whether that level of protection is respected in the third country concerned. The contract also states that the recipient must inform the data exporter of any inability to comply with the standard data protection clauses. If the processing of personal data continues in such situations, national supervisory authorities may subsequently prohibit the transfer. It is questionable to what extent this actually makes a difference to transfers to the US, but the EUCJ considers this sufficient to maintain the validity of the model contract in question.
What practical consequences of this judgment?
The ruling means that the Privacy Shield is no longer a legally valid basis for the transfer of personal data to organizations in the US. In short, organizations that still exchange data on this basis with organizations in the US are acting in violation of the GDPR. This raises the question what an alternative legal basis for the exchange of personal data with the US could be.
What are the alternatives?
At first sight, concluding a model contract seems an obvious alternative. The model contracts can easily be found on the website of the European Commission. Parties have only limited rights to add amendments to these contracts, which in practice often allows them to be signed relatively quickly. There is only limited room for negotiation and certainly for transmission to the US there are few alternatives.
Although this judgment has shown that a model contract remains a valid mechanism for the transfer of personal data, it is not certain that the transfer of personal data to the US can continue or be based on such a contract. Indeed, as discussed above, it is up to the data importer and exporter to assess this on a case-by-case basis. This will often require an extensive analysis which will have to be well documented. The analysis should also consider the applicable legislation in a country (including public and national security), the possible access of public authorities to the personal data transferred as well as the existence of enforceable rights and judicial redress for the data subjects whose personal data are being transferred. And this is precisely what the EUCJ is very critical when it comes data transfers to the US.
In short, given the current surveillance legislation, it is questionable whether the model contracts can be used as a basis for a legally valid transfer of personal data to organizations in the US. In any case, this is highly unlikely if the recipient of the data may be under surveillance in the US.
Besides, the current model contracts have not yet been updated since the entry into force of the GDPR. The European Commission has indicated in its evaluation report on the GDPR that it is working on this, but has most probably waited for this ruling of the EUCJ. It is not known exactly when the new versions of these model contracts will become available, but it does seem clear that the current model contracts will be replaced in due course. Will the European Commission anticipate on the EUCJ’s objections to data transfers to the US?
Binding corporate rules
What options are left? A group of undertakings, or groups of enterprises engaged in a joined economic activity, could consider drawing up binding corporate rules for the internal data transfer. However, establishing such rules is usually a lengthy process. Such rules would have to be submitted to the national supervisory authority for approval before they would be valid. This is therefore not a short-term solution. Moreover the Dutch Data Protection Authority does not seem to be handling this approval procedure with much diligence.
There are not many other options. Only the specific situations listed in Article 49 of the GDPR remain. This provision states, among other things, that a transfer is permitted in case the data subject has expressly consented to the proposed transfer, after having been informed of the possible risks of such transfer. Apart from the obligation to provide such information, requesting consent will not be a viable option in many situations. Certainly not when organizations exchange data of many different data subjects with parties in the US. It is then practically impossible to ask for consent on a case-by-case basis. Moreover, once consent has been given, it must always be possible to withdraw it. In addition, it is not possible to obtain legally valid consent from certain categories of data subjects. Imagine, for example, of employees who are assumed not to be able to freely give consent to their employer.
Where a transfer is necessary for the performance of a contract between the data subject and an organization (the controller) or for the implementation of pre-contractual measures taken at the data subject’s request, the transfer of personal data to countries outside the EU (and therefore also the US) could be permitted. Both situations are included in Article 49 of the GDPR. Other examples are situations where the transfer of personal data is necessary for important reasons of public interest, for the protection of the vital interests of the data subject or for the exercise of legal claims.
It has not necessarily become impossible to transfer personal data to organizations in the US, but it will often be necessary to assess case-by-case on what legal ground that specific transfer could be based. The question is whether this is practical and workable.
All eyes are now on the European legislator. Will it come up with a new solution to facilitate a large-scale and easy exchange of information with parties in the US? Or will the US change its surveillance legislation under political and economic pressure?
In the meantime, most organizations will need to explore whether there are possibilities to base the international transfer to the US on another ground (as mentioned above) or whether they can and must temporarily or even permanently stop the transfer.
Want to know more?
Would you like to know more about this ruling and what consequences there may be for your organization? What the specific risks for your organization are? Or do you have other questions about the international transfer of personal data? Please contact Tom de Wit, Huub de Jong or Lisa Molenaars.