Today, Thursday 16th July 2020, the Grand Chamber of the Court of Justice of the EU ('CJEU') delivered a landmark judgement in data protection, declaring the EU-US Privacy Shield Decision that attempts to guarantee the transmission of EU data to the United States, invalid. In the same breath, the CJEU also declared Decision 2010/87 setting Standard Contractual Clauses as valid and effective.
This decision is of great significance in light of the effect of US surveillance laws, which have come under fire in the last few years (think, Edward Snowden), and how it poses the question as to how far data transfers from the European Economic Area ('EEA') to the US are valid.
Regulation 2016/679, the General Data Protection Regulation ('GDPR') states that data may not be transferred outside of the EEA unless there is a special mechanism allowing for this transfer.
The following are some of the special mechanisms:
- Declaration of adequacy by the EU Commission: The EU Commission has the power to determine, on the basis of article 45 of the GDPR whether a country outside the European Union ('EU') offers an adequate level of data protection. So far it has declared 12 countries to provide adequate protection. The 13th country, the United States of America (the 'US'), is also considered to provide adequate protection, however this is limited to the Privacy Shield Framework, Decision 2016/1250, on EU-US data transfers ('Privacy Shield Decision').
- Countries which do not fall within (i) above can use Decision 2010/87, setting Standard Contractual Clauses ('SCC Decision') for data transfers from a data controller in the EU to a non-EU or EEA data processor.
- Binding Corporate Rules or Codes of Conduct. These usually concern multinational corporations, but currently there are no approved codes of conduct for international data transfers.
- Lastly, Article 49 GDPR foresees derogations of the strict rules on data transfers like relying on consent or special cases, for instance, for the defence of legal claims.
Organisations in the US (such as Facebook Inc. referred to hereunder) and Europe relied upon mainly (i) and (ii) to ensure compliance with the GDPR when transferring personal data from the EU to the US.
Context for the landmark judgement
In 2013, pre-GDPR, Maximillian Schrems, an Austrian national and privacy activist, filed a complaint to the Irish Data Protection Commissioner ('Irish DPC') about the transfer of his personal data by Facebook Ireland to Facebook Inc. in the US.
Any person residing in the EU who wishes to use Facebook is required to conclude, at the time of his or her registration, a contract with Facebook Ireland, a subsidiary of Facebook Inc. which is itself established in the US. Most personal data of Facebook Ireland's users who reside in the EU is transferred to servers belonging to Facebook Inc in the US, where it undergoes processing.
The EU Commission had already, as a result of the above, decided in 2015 that the 'Safe Harbour' Framework, for data transfer to the US was invalid. Subsequently, the EU Commission approved the EU-US Privacy Shield Decision.
Going forward, in the complaint, Mr Schrems explained that US law requires Facebook Inc. to make the personal data transferred to it available to certain US authorities such as the National Security Agency and the Federal Bureau of Investigation. He submitted that since that data was used in the context of various monitoring programs incompatible with the Charter of Fundamental Human Rights (the 'Charter'), the SCC Decision cannot justify the transfer of personal data to the US. In light of this, he requested that the Irish DPC prohibit or suspend the transfer of his personal data to Facebook Inc.
From a mere complaint to the Irish DPC, the case ended up before the Irish High Court, wherein it decided to stay proceedings and to refer a few questions to the CJEU for a preliminary ruling.
What did the Grand Chamber decide today?
In essence, the CJEU decided that the Privacy Shield is not a valid legal mechanism for the transfer of personal data from the EU to the US, while also claiming and upholding the validity of the SCC decision as a valid legal mechanism for the transfer of personal data from the EU to the US.
It explained that the Privacy Shield Decision does not ensure a level of protection essentially equivalent to that required by the Charter, and goes contrary to the requirement of Article 45(2)(a) of the GDPR, that a finding of equivalent depends, inter alia, on whether data subjects whose personal data are being transferred to the third country in question have effective and enforceable rights. It was established that the monitoring programmes under US law do not confer rights which are enforceable against the US authorities. Moreover, US law does not correlate to the minimum safeguards required under EU law, such as the principle of proportionality, since it was established that the surveillance programmes are not limited to what is strictly necessary.
It should also be stated that in 2016, the EU Commission has also issued a preliminary draft decision on Standard Contractual Clauses, expressing that personal data would not be adequately protected in the US even if transferred under such clauses, since the clauses are not binding on the government in the recipient country. This seems to be in conflict with today's decision.
In light of the above, the limitations on the protection of personal data arising from the domestic law of the US on the access and use by US public authorities of such data transferred from the EU to the US, which the Commission assessed in the Privacy Shield Decision, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required, under EU law, namely Article 52(1) of the Charter.
Why is this judgement significant?
The outcome of this decision is that any organisation transferring personal data from the EU to the US must make use of the SCC decision and thus implement the Standard Contractual Clauses for such transfer.
One can no longer rely upon compliance with the Privacy Shield. Transfer of personal data from the EU to the US that solely relies upon the US Government's Privacy Shield will, consequently, be deemed unlawful in terms of the GDPR.
Businesses transferring personal data from the EU must increasingly focus on the derogations in Article 49 of the GDPR, allowing transfers in situations such as contractual necessity or explicit consent – unless the recipient country has been officially flagged as adequate by the EU Commission.
Originally published 16 July, 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.