On 16 July 2020, The Court of Justice of the European Union (“CJEU”) delivered its long awaited ruling concerning data protection and privacy law. This can be considered a landmark ruling which will have considerable ramifications for companies currently exporting data to the United States.
The Court ruled that the EU-US Privacy Shield does not provide an adequate level of data protection within the meaning of Art.45 GDPR. Indeed, the Privacy Shield allowed disproportionate exemptions from the data protection rules where surveillance by the (many) US intelligence services was in play and offered no effective remedy to those concerned, including, amongst others, apprehensive citizens. The corresponding Commission adequacy decision was therefore declared invalid. Consequently, data can no longer be transferred to the US if the basis for doing so concerns the Privacy Shield.
Background to the case
Maximilian Schrems, an Austrian lawyer and privacy campaigner, lodged a complaint concerning the transfer of his personal data by a European subsidiary of Facebook to an entity of the Facebook group in the US. After an investigation by the Irish supervisory authority it sought assistance from the Irish High Court to verify the validity of the justifications on which Facebook relied in order to export the data from Ireland to the US. The High Court stayed proceedings and referred questions for a preliminary ruling to the CJEU. The CJEU had to examine the validity of (1) the European Commission’s adequacy decision allowing data transfers to the US under the Privacy Shield and (2) the European Commission decision according to which the standard data protection clauses offered sufficient safeguards for a transfer of data to a third country. As to this second point, Facebook Ireland Ltd explained that a large volume of personal data were transferred pursuant to the standard data protection clauses (“SCCs”) in the annex to Commission Decision 2010/87/EU mentioned and examined in the full judgment. This Decision established the basis and cleared the way for SCCs for certain categories of transfers. This manner of proceeding has not been invalidated and is thereforestill applicable. We will return to them later.
The legal aspect
Art.44 GDPR subjects the transfer of personal data abroad to certain requirements. Such a transfer is in particular authorized on the basis of a decision of the European Commission finding that the country concerned offers an adequate level of data protection (Art.45 GDPR). The Commission thus found that the US offered an adequate level of protection with regard to data transferred under the Privacy Shield. The Privacy Shield is a self-certification mechanism that is based on certain official US commitments and allows American businesses to adhere to a set of data protection principles published by the US Department of Commerce. It is therefore possible to transfer personal data to the US when the recipient is on the list of organizations adhering to the Privacy Shield. In its assessment of the level of protection in the third country, the Commission had to take into account in particular the legislation relating to defence and national security, the access of public authorities to personal data as well as the effective legal remedies available to concerned citizens in the country of destination (Art.45 para. 2 GDPR). Read in the light of ss.7 (Respect for private life), 8 (Protection of personal data) and 47 (Right to an effective remedy and access to an impartial tribunal) of the European Charter of Fundamental Rights, this provision means in particular that (a) data protection derogations (e.g. for the purpose of safeguarding national security) must be proportionate and (b) data subjects must have an effective right of remedy. The principle of proportionality requires, on the one hand, that exceptions to data protection be made within the limits of what is strictly necessary, and on the other hand that they are subject to sufficient legal and procedural safeguards. However, US law (the Foreign Intelligence Surveillance Act) allows intelligence agencies such as the National Security Agency (“NSA”) to collect large volumes of data “in bulk”, without specifically targeting the collection and with little judicial oversight. Indeed, US surveillance programs are based on annual certifications that do not take into account whether or not the subjects being monitored are correctly targeted. In addition, the relevant US laws do not give data subjects any right that can be enforced against the authorities collecting their data. In these circumstances, the Commission wrongly considered the data protection exemptions in force in the United States to be proportionate and it is difficult to see how the Commission could have come to this conclusion, though come to that conclusion it did. What was of particular importance for the adequacy decision was the existence of an effective remedy in the country of destination of the data. In this regard, the Privacy Shield provides that persons affected by a data transfer to the US can submit their complaints to a mediator. However, the latter is an integral part of the US State Department and is appointed and dismissed by the Secretary of State, which calls into question their independence from the executive branch. In addition, the mediator’s jurisdictional reach is limited, as several relevant legal bases for the collection of personal data by intelligence services are outside their remit. Finally, there is no indication that the mediator could make decisions which bound the intelligence services. Therefore, the guarantees offered by the Privacy Shield mediation mechanism are not substantially equivalent to those required by Art.47 of the European Charter of Fundamental Rights. In light of this, by finding the adequacy of the protection offered by the Privacy Shield, the Commission infringed Art.45 GDPR. The adequacy decision was therefore deemed invalid. The CJEU stated:
 “[N]either Section 702 of the [Foreign Intelligence Surveillance Act], nor [Executive Order] 123333, read in conjunction with [Presidential Policy Directive 28], correlates to the minimum safeguards resulting, under EU law, from the principle of proportionality, with the consequence that the surveillance programmes based on those provisions cannot be regarded as limited to what is strictly necessary”.
The judgment summarized above follows the invalidation in 2015 of a first set of principles for the export of data to the US, the Safe Harbor, also following a complaint from Maximilian Schrems (CJEU, 06.10.2015, C -362/14). The grounds for invalidation of the Privacy Shield are substantially similar to those of the Safe Harbor and once again demonstrate the difficulty of reconciling European data protection requirements with US supervisory practices. This decision has the effect of immediately making illegal any transfer of personal data to the US which relies solely on the Privacy Shield. Such a transfer therefore necessitates other appropriate safeguards, for example sufficient contractual clauses or stringent company regulations.
What about the SCCs? What’s next?
The standard data protection clauses adopted by the European Commission are valid, although they are not enforceable against the authorities of the country to which the data is transferred. However, the use of model clauses does not exempt the data exporter from assessing the risks in specific cases and, if necessary, establishing additional guarantees. In particular, the exporter must verify that the law of the country of destination allows the recipient of the data to comply with its commitments and does not allow disproportionate interference by the authorities, such as the NSA for instance. The European Data Protection Board (“EDPB”) has now issued its FAQs on the invalidation of the Privacy Shield and the implications for the SCCs and this guidance still applies to UK controllers and processors. In relation to the UK, the Information Commissioner’s Office (“ICO”) made a statement which was updated on 27 July 2020. The key message is that the judgment has wider implications for international data transfers than the invalidation of the EU-US Privacy Shield, that further work is on the way by the EDPB to provide more comprehensive guidance, and that it is recommended that companies conduct risk assessments as to whether the transfer is to the US or elsewhere. The recipient of the data can occasionally assist corporations in their decision-making.
What does this mean for corporations?
Corporations should now take appropriate steps to confirm that data transfers occurring under their responsibility are in fact compliant with the provisions of the GDPR and the recent judgment of the CJEU. In practice, this means abolishing the transfer of data via Privacy Shield to alternative safeguards such as the SCCs and verifying the level of safeguards applied to data transfers. It is possible to ‘self-assess’ a US recipient as adequate, although the outcome would likely be that the transfer would still be subject to FISA. Thus, in respect of data transferred to the US, Section 702 FISA and E.O 12333 will be relevant. Last but not least, it is crucial for companies to be on the lookout for updates, statements and rulings issued from the EDPB and the CJEU regarding the validity and application of the said SCCs in the future.
This ruling by the CJEU is significant for concerned citizens as well as for privacy in general terms. It is imperative for lawmakers to be on top of technological progress in order for them to legislate adequately and introduce new legal safeguards when people’s privacy is at risk.
The information in this blog is for general information purposes only and does not purport to be comprehensive or to provide legal advice. Whilst every effort is made to ensure the information and law is current as of the date of publication it should be stressed that, due to the passage of time, this does not necessarily reflect the present legal position. Gherson accepts no responsibility for loss which may arise from accessing or reliance on information contained in this blog. For formal advice on the current law please don’t hesitate to contact Gherson. Legal advice is only provided pursuant to a written agreement, identified as such, and signed by the client and by or on behalf of Gherson.